Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Security

Is there a way to setup port security so that our laptop users can plug into the lan in multiple places around a building while preventing outside users from coming in and doing the same. Purhaps a table of pre approved mac addresses that the switch checks?

3 REPLIES

Re: Port Security

I'll suggest to use dot1x in your environment as port security is not suitable where user can log anywhere from LAN.

Dot1x will give you more control over user and machines.

Regards,

~JG

Cisco Employee

Re: Port Security

Hi Charles,

As Jagdeep stated port security is going to be a tough task and not a very feasible solution when you have multiple users in your network.

I can think of 2 possible solutions out of which Jagdeep already mentioned dot1x which is identity based networking or VMPS where you have pre approved mac address listed in a text file with vlan number they should be assigned dynamically and is any machine gets into the network whose mac address is not from the pre configured list can be assigned to a non routable vlan or an isolated vlan which does not have any connectivity into your network just like a guest and then you can have control on that vlan.

But I agree 802.1x will give you more security and control in your network.

You can have a look at these links for 802.1x as well as VMPS

For 8021.1x

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_37_se/configuration/guide/sw8021x.html

For VMPS

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_37_se/configuration/guide/swvlan.html#wp1212223

HTH

Ankur

*Pls rate all helpfull post

New Member

Re: Port Security

802.1x is a good way of doing this. I use this in public areas, but am a little more sadistic and give limited access in some areas. Conference rooms, fall under a Guest VLAN and ACLs that limit access to two dns servers, dhcp, and port 80 and 443 to the i-net.

Other more secure areas, I lock them down into a black-hole vlan, that does nothing but frustrate.

172
Views
5
Helpful
3
Replies