Wanted to discuss the option of port security on Layer 2 switches that will enable me to prevent outside device from connecting to an internal network. Based upon some documentation switchport port-security options are available on the existing 12.2 SG IOS however I'm looking for some othe users which have implemented this process.
Portsecurity feature helps to limit the numbers of MAC that can be associated with a switch port, it can't differentiate between outside or an inside mac address.
I don't think static mapping of MAC addresses to a port is a feasible option, so the next best bet is to use mac address sticky feature and limit the number of mac address on each port to a max of 2 if you use IP phones.Sticky option will help to learn the MACs of existing connected devices and the max option will help to err-disable the port if more than specified MACs are seen on the port.
As p.mcgowan said in his above post, it will soon become an adminstrative nightmare if you use it without proper planning.
My overall concerns is that many of these option are for single mac address currently were not using IP phones therefore all mac address would be strictly device ie workstations, laptops and printers. In addition, I have several trunk ports created with small Cisco switch that allow software developers use multiple devices while just occupying a single data connection. I will continue ready this information provided but this a brief description of what were attempting to secure within our network.
Finally, 80% of our overally network the sticky solutions appears to be the best option however I'm concern about the other 20%.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...