Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

prevent end users from attaching their own hubs/switches?

Is there a switchport command on a 3750 switch that will only only 1 mac address so that end users can't plug in their own hubs/switches?

I don't want to maintain a mac table, just allow any mac but only 1 mac.

5 REPLIES

Re: prevent end users from attaching their own hubs/switches?

Don't have a 3750, but I suspect that if you enable "port-security", the default will likely be to allow only one MAC address.

On a 2950 the syntax would be:

interface FastEthernet0/1

switchport port-security

switchport port-security maximum

Although I wouldn't configure the value as "1" as the default is "1" on that platform (2950), and might cause an issue if set.

You might look for that syntax in your CLI, or something like it.

optional:

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc

New Member

Re: prevent end users from attaching their own hubs/switches?

There are a couple of things that will help you with this issue.

The bpduguard commands, and port-security commands.

BPDUGUARD detects the bridging signals that most switches and hubs use, and will shut down (error-disable) the port when a bpdu is detected.

The command for this on a 3750 is:

interface FastEthernet1/0/1

spanning-tree bpduguard enable

This command can be offset to auto-enable with the following commands at the config prompt:

errdisable recovery cause bpduguard

errdisable recovery interval 900

The above commands cause the error disabled port to automatically re-enable after a period of 900 seconds (15 minutes).

Port security will limit the number of mac addresses allowed on the port to the number you specify (default of 1). This can cause other issues with people that move around from port to port. Considerable thought needs to be exercised before implementing this capability, as you will be called upon to re-enable the ports by performing a shut/no shut to bring the ports back up.

New Member

Re: prevent end users from attaching their own hubs/switches?

You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").

New Member

Re: prevent end users from attaching their own hubs/switches?

You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").

interface FastEthernet1/0/1

switchport mode access

switchport port-security mac-address sticky

switchport port-security maximum

spanning-tree bpduguard enable

errdisable recovery cause bpduguard

errdisable recovery interval 900

If you are bold you can use this with the interface range command.

New Member

Re: prevent end users from attaching their own hubs/switches?

This a typical config we use on our 3750's:

interface FastEthernet1/0/6

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

We dont use the sticky command because if someone wants to swap out their PC. The default is one MAC address per port.

187
Views
20
Helpful
5
Replies
CreatePlease login to create content