Re: switchport security

s-durando · ‎02-09-2006

We are trying to achieve this scenario without success:

- We have one switch 29xx

- We have 6 laptops

- We have 10 drops connected each one on a port of the switch 29xx

We would like to setup port security to:

0. Enable port security to prevent access to the network from an intruder 1. allows "roaming" of the 6 laptops on the 10 drops without engaging port security violations

2. simply reject with syslog notification (no shutdown) all traffic IF is coming from a NOT known MAC address (intruder) or in other words if is not of one of the 6 laptops that we have.

Thanks in advance for your answer.

pkhatri · ‎02-09-2006

Could you advise what model switch it is ? Maybe a show version output ...

Paresh

Patrick Laidlaw · ‎02-09-2006

Please post more information about your switches not all 29xx switches support port-security.

Patrick

s-durando · ‎02-10-2006

As you can see from the output of 'sh ver', the device is a Cat2950G-48-EI:

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)

Compiled Mon 19-Apr-04 20:58 by yenanh

Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is C2950 boot loader

CSS-NGAS48B-014 uptime is 2 weeks, 23 hours, 4 minutes

System returned to ROM by power-on

System restarted at 09:53:58 METDST Thu Jan 26 2006

System image file is "flash:/c2950-i6q4l2-mz.121-20.EA1a.bin"

cisco WS-C2950G-48-EI (RC32300) processor (revision P0) with 20713K bytes of memory.

Processor board ID FOC0835Z503

Last reset from system-reset

Running Enhanced Image

48 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:12:00:DB:83:40

Motherboard assembly number: 73-7409-12

Power supply part number: 34-0965-01

Motherboard serial number: FOC08350C6P

Power supply serial number: DAB0834E41N

Model revision number: P0

Motherboard revision number: A0

Model number: WS-C2950G-48-EI

System serial number: FOC0835Z503

Configuration register is 0xF

Thanks

pkhatri · ‎02-10-2006

Hi,

Could you try a config like the following on each of your ports;

interface fastethernet0/1

switchport mode access ! you cannot use dynamic desirable so this is important

switchport port-security

switchport port-security maximum 6

switchport port-security violation restrict

switchport port-security mac-address AA.AA.AA.AA.AA.AA

switchport port-security mac-address BB.BB.BB.BB.BB.BB

switchport port-security mac-address CC.CC.CC.CC.CC.CC

switchport port-security mac-address DD.DD.DD.DD.DD.DD

switchport port-security mac-address EE.EE.EE.EE.EE.EE

switchport port-security mac-address FF.FF.FF.FF.FF.FF

Replace the 6 MACs above with your actual MACs.

Hope that helps - pls rate the post if it does.

Paresh

s-durando · ‎02-14-2006

Hi,

unfortunately it doesn't work.

I configured the switch in this way:

!

interface fastethernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

interface fastethernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

I have 2 PCs, PC A with MAC aaaa.aaaa.aaaa, PC B with MAC bbbb.bbbb.bbbb.

I connect PC A to Fa0/1. It works fine and pings its default gateway.

I connect PC B to Fa0/2. It doesn't ping its default gateway and the switch doesn't

learn the MAC address. If I disconnect PC A, there is no change. The only way to have PC B working is to connect it to Fast0/1

It seems that MAC aaaa.aaaa.aaaa and bbbb.bbbb.bbbb are strictly assigned to port fa0/1

Regards

Stefano