my goal is to limit 1 mac address per port and restrict any unauthorized hub or switch.
I have port-security enabled and set maximum mac to 1. I enabled spanning-tree portfast bpduguard default, and all access ports are spanning-tree portfast enabled.
this works well in most cases. but what if someone were to connect the WAN interface of a Linksys router to the switch interface. because the Linksys does NAT, I can have several devices connected to it and the switch should only see 1 address.
What other IOS security feature can I implement to prevent this? If none, what are my alternatives? thanks.
I would say you are basically looking now at the Network Access Control (NAC) area. You might have to look at 802.1x for port authentication. Basically before you turn on the port you'll have to authenticate the host or the user through radius or AD. This depend on your environment. Besides 802.1x you might just look at the many solutions out there for NAC. Cisco has one and so does Microsoft and plenty of other manufactures.
I don't think that is any other way of detecting NATing on a switchport.
Another thing you could do is monitor all of the mac addresses learn on your switches and try to detect linksys vendor mac addresses or if you only use one computer vendor like dell, look for anything that doesn't match dell. This could be done using snmp or there are few apps online that could do get the mac address table.
U will be connecting u r linksys routers ethernet interface to the switch..am i right in assuming this,if so then u r linksys router interface will have only one mac-address so u r in the safe side and for NAT it works at L3 so u need not worry about the mac-address.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...