Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

port security question

I'm running an 1841 with a switch hanging off one of the ports. I'm trying to restrict users from unplugging the ethernet from a PC and using it on a personal laptop. Since the switch is unmanaged, how do I accomplish this? Can I just issue the port security commands on my router or will that not work?

Thanks for the help.

13 REPLIES
New Member

Re: port security question

The switch is on f0/0/0 and I know that there should be X number of machines at that location, so if I issue;

switchport port-security maximum X

will that work?

Re: port security question

Hello Richard,

Port-security is having some default age interval..It means if user attach a laptop it may possible that pc mac will be age out

and user can access via. laptop.

You need something like mac access group to restrict it to user PC only similar to one below on switch. I am not sure

is it supported on your router or not

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Regards

Mahesh

New Member

Re: port security question

The aging time period can be adjusted thought right?

Re: port security question

Yes,

It is indeed adjustable..but whtever time you set , once it expires the mac from interface will be age out.

anyway you can decide what is best suit to your network according to requirement

Regards

Mahesh

New Member

Re: port security question

well as long as it's effective at blocking rogue laptops then I could just set the aging time to 5 days or something. That seems pretty sloppy to me though,

Does the command I suggested above make more sense? I know that there should be 50 PC's physically connected to the switch being compromised so on the router port that runs to that switch I could issue " switchport port-security maximum 50 "?

The switch is unmanaged.

Silver

Re: port security question

Have you consider to use MAB?

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab_ps6441_TSD_Products_Configuration_Guide_Chapter.html

The problems for MAB are:

1. you need a RADIUS server. The cheapest way to get a RADIUS server is free radius server, IAS (if you have a Microsoft server), or a Cisco AP.

2. Administration overhead

3. potential security loophole. The user name and password for the MAC address is the MAC address. Once a hacker knows that MAB is used, he/she can find a valid MAC address on the network. Then, he/she can obtain a valid user ID and password on the RADIUS server. Need something like NAS restriction to tighten up security.

Not sure if it worths your time.

New Member

Re: port security question

The cmd you mention: switchport port-security maximum 50 - will allow 50 MACs on a single switch port (so if you got a hub into one port and plugged 50 things into it they would all work, the 51st would be denied) this makes do discrimination between a rogue or non-rogue laptop, simply 50 MACs. If you have a single switch with 50 potential users coming and going and connecting to any switch port at any one time then this probably isn't what you are looking for.

If the ports they plug into are always the same then you can use the: switchport port-security mac-address sticky cmd. It will remember each MAC and disable the port if any other MAC is learned.

If they plug into different ports each time they come along then that won't work for you. You can manually enter each MAC for the known non-rogue laptops and then make them sticky so they are remembered but you'll need to do this on each switch port and so make your config a mess.

Dot1x would most likely be the better way to go as anyone that doesn't authenticate in the right way can get put into a restricted VLAN and so not be able to do anything, but requires more setup and admin overhead and may not be available to you.

New Member

Re: port security question

They do not change ports on the switch. The machines are setup at desks or sales counters and never move. From the machine each host plugs into a switch in a closet that is locked. So based on that I can either use the command that I suggested before, or use the sticky mac version of the command?

Thanks for all the replies so far, very helpful.

New Member

Re: port security question

use the:

switchport port-security mac-address sticky

It will learn the MAC that is currently on the port and put it on the end of the line so you can see it what you do a show run, ie:

sh run

int fa0/1

blah blah

switchport port-security mac-address sticky aabb.ccdd.eeff

Do that on all ports and then that will be static and anyone plugging anything else in will get binned.

You might want to also consider using the recovery commands to return the port to service once that rogue laptop user gets bored not being able to work and walks away - it will reactivate the port after a set period of time so the real MAC can operate again.

Only thing to remember is when you swap hardware you need to remove the sticky command and put it back in again.

New Member

Re: port security question

recovery commands such as:

errdisable recovery cause psecure-violation
errdisable recovery interval 60

New Member

Re: port security question

Rob,

     The problem there is that my switch is unmanaged and plugs into a FE port on my router. That's why I was exploring options for the router port that handles that switch.

New Member

Re: port security question

Ah bugger, I missed that in the earlier text, it leaves my updates a little redundant then. The command you suggested will allow 50 MACs no matter what they are to be learned on the port, so I see why you wanted the age timer to be extended so plug/unplug would result in a drop of the new MAC. I don't know of another way other than what has already been suggested to achieve what you wanted. Sorry for the unhelpful help there.

I suppose using this as weight for getting a managed switch on to the network as there is a 'security' issue is not really of any worth either.

New Member

Re: port security question

I'm having an issue using the port-security command, it's not present. When I get into the f0/0/0 interface, issue switchport mode access, they try to enable port security the command is unrecognized. Is there something else I need beforehand? This is on an 1841 router, on a 4 port hwic.

Thanks.

I'm already in the process of upgrading them to a managed switch :)

432
Views
11
Helpful
13
Replies