Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

switchport security

We are trying to achieve this scenario without success:

- We have one switch 29xx

- We have 6 laptops

- We have 10 drops connected each one on a port of the switch 29xx

We would like to setup port security to:

0. Enable port security to prevent access to the network from an intruder 1. allows "roaming" of the 6 laptops on the 10 drops without engaging port security violations

2. simply reject with syslog notification (no shutdown) all traffic IF is coming from a NOT known MAC address (intruder) or in other words if is not of one of the 6 laptops that we have.

Thanks in advance for your answer.

5 REPLIES
Purple

Re: switchport security

Could you advise what model switch it is ? Maybe a show version output ...

Paresh

Re: switchport security

Please post more information about your switches not all 29xx switches support port-security.

Patrick

New Member

Re: switchport security

As you can see from the output of 'sh ver', the device is a Cat2950G-48-EI:

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.

Compiled Mon 19-Apr-04 20:58 by yenanh

Image text-base: 0x80010000, data-base: 0x805A8000

ROM: Bootstrap program is C2950 boot loader

CSS-NGAS48B-014 uptime is 2 weeks, 23 hours, 4 minutes

System returned to ROM by power-on

System restarted at 09:53:58 METDST Thu Jan 26 2006

System image file is "flash:/c2950-i6q4l2-mz.121-20.EA1a.bin"

cisco WS-C2950G-48-EI (RC32300) processor (revision P0) with 20713K bytes of memory.

Processor board ID FOC0835Z503

Last reset from system-reset

Running Enhanced Image

48 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:12:00:DB:83:40

Motherboard assembly number: 73-7409-12

Power supply part number: 34-0965-01

Motherboard serial number: FOC08350C6P

Power supply serial number: DAB0834E41N

Model revision number: P0

Motherboard revision number: A0

Model number: WS-C2950G-48-EI

System serial number: FOC0835Z503

Configuration register is 0xF

Thanks

Purple

Re: switchport security

Hi,

Could you try a config like the following on each of your ports;

interface fastethernet0/1

switchport mode access ! you cannot use dynamic desirable so this is important

switchport port-security

switchport port-security maximum 6

switchport port-security violation restrict

switchport port-security mac-address AA.AA.AA.AA.AA.AA

switchport port-security mac-address BB.BB.BB.BB.BB.BB

switchport port-security mac-address CC.CC.CC.CC.CC.CC

switchport port-security mac-address DD.DD.DD.DD.DD.DD

switchport port-security mac-address EE.EE.EE.EE.EE.EE

switchport port-security mac-address FF.FF.FF.FF.FF.FF

Replace the 6 MACs above with your actual MACs.

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: switchport security

Hi,

unfortunately it doesn't work.

I configured the switch in this way:

!

interface fastethernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

interface fastethernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

I have 2 PCs, PC A with MAC aaaa.aaaa.aaaa, PC B with MAC bbbb.bbbb.bbbb.

I connect PC A to Fa0/1. It works fine and pings its default gateway.

I connect PC B to Fa0/2. It doesn't ping its default gateway and the switch doesn't

learn the MAC address. If I disconnect PC A, there is no change. The only way to have PC B working is to connect it to Fast0/1

It seems that MAC aaaa.aaaa.aaaa and bbbb.bbbb.bbbb are strictly assigned to port fa0/1

Regards

Stefano

237
Views
0
Helpful
5
Replies
CreatePlease to create content