Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Switchport security

Dear members I have a question for you.

I have a system with couple of switches but none of them is DHCP enabled, all of my Hardware behind the switch have statically IP addresses assigned.  Please keep in mind that some of my servers have Hyper-Visor enabled with VMs enabled in them, which they constantly change, in other words adding or deleting VMs.

I do not want to do DAI config on the switch (3560) I think this is too much work especially in huge environment.

I would appreciate if anyone has any good responses for switchport security configuration in a non DHCP environment, that has capabilities to change.

Thank you and have a great evening.

Everyone's tags (5)
1 REPLY

Re: Switchport security

Antonios,

It was not clear exactly what you were looking to achieve through switchport security, but if you were just asking for general recommendations, then port-security may be helpful.  It will assist in two scenarios:

1) Limit the maximum number of MAC addresses learned on a single interface (not so useful in a VM environment, unless you have a finite max value).

2) Prevent the same MAC address from being learned on another port (or rather flapping between multiple interfaces).

If you mean to prevent all communication except specific IP's, you could use IPSG for static hosts, normally IPSG relies on DHCP but the static version allows tracking based on ARP traffic, although you will need version 12.2(52)SE or later.

Feature explanation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1281474

Config Example:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_55_se/configuration/guide/swdhcp82.html#wp1281575

If I misunderstood your quesiton, please feel free to elaborate.

Chris

527
Views
0
Helpful
1
Replies
CreatePlease to create content