Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port-Security Mac Address's

Hi,

I am trying to secure two ports so that only 6 mac address's can use them. These 6 mac address's need to be able to use either of the two ports as the ports are in a hot desk area. If I try to statically configure these 6 mac address's, it only allows me to configure them on one port and says duplicate found when trying to configure the same on the second port.

I am trying to set this up on a 6509 running 12.2(18)SXE. I would rather not configure 3 on one and 3 on the other as these 6 people use whichever desk is free. Is there anyway to do this?

Thank you

Brian

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Re: Port-Security Mac Address's

Hello Brian,

You cannot setup secure mac-addreses on the same switch. If your requirement is to "authenticate" the station plugged into the switchport you can either set up those ports on another switch or use port-based authentication.

Port-based authentication i.e. IEEE 802.1x for instance is far more scalable than static port security.

There are many other quick and dirty solutions such as port or vlan based maps where you can reference a mac address ACL.

Please refer to the Catalyst 6500 documentation

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/index.htm

HTH

--Leon

* Please rate posts.

Re: Port-Security Mac Address's

HEy, you need to generate a Certificate using a CA Server (Windows 2k or 2k3 with CA Services would do) and ACS doesn't have a Certitificate SErver.

Please try to use a Windows Server to generate a Certificate and then use that Certificate for the existing AAA Server.

Hope that it works.

Regards,

Wilson Samuel

4 REPLIES
Silver

Re: Port-Security Mac Address's

Hello Brian,

You cannot setup secure mac-addreses on the same switch. If your requirement is to "authenticate" the station plugged into the switchport you can either set up those ports on another switch or use port-based authentication.

Port-based authentication i.e. IEEE 802.1x for instance is far more scalable than static port security.

There are many other quick and dirty solutions such as port or vlan based maps where you can reference a mac address ACL.

Please refer to the Catalyst 6500 documentation

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/index.htm

HTH

--Leon

* Please rate posts.

New Member

Re: Port-Security Mac Address's

Hi Leon, thanks for the info. I have tried configuring port security but having problems. On the switch I have setup dot1x in aaa and globally enabled it as well as interface enabled it as per documentation. I am using an xp client and ACS 3.2 server. Is peap authentication what I need to use then? If so, it says I need to get a certificate but when I enter http://ACS-IP/certsrv, there is no option to request. Is this feature something that can be enabled or does it need to be purchased? Thanks for any help you can provide.

Re: Port-Security Mac Address's

HEy, you need to generate a Certificate using a CA Server (Windows 2k or 2k3 with CA Services would do) and ACS doesn't have a Certitificate SErver.

Please try to use a Windows Server to generate a Certificate and then use that Certificate for the existing AAA Server.

Hope that it works.

Regards,

Wilson Samuel

New Member

Re: Port-Security Mac Address's

Thanks for the info Wilson.

Cheers

Brian

141
Views
0
Helpful
4
Replies