Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Switch Security

Hi,

I'm trying to tie each interface down to 1 mac-address. The problem is our desktop team keep going out to site plugging in their laptops and the interface shutsdown. Is there anyway to manually type in their laptop mac's and tell the switch to allow any of these addresses.

Any help is appreciated

5 REPLIES
Community Member

Re: Switch Security

Swictch#(config-if)switchport mode access

Swictch#(config-if)switchport port-security

maximum (NUMBER-OF-ALLOWED-MAC-ADDRESSES)

Swictch#(config-if)switchport port-security mac-address MAC-ADDRESS-OF_LAPTOP

(copy command and add a different address)

Swictch#(config-if)no shutdown

You could also set the switched to automatically re-enable after a secuirty violation such as port-security mac-address maximum. You can set it to recover after a number of seconds, 10 minutes or even a day. You may wish to do that in case another uses puts a device where the MAC address has not yet been recorded, onto the port.

Community Member

Re: Switch Security

the only problem with that is that every interface throughout the network (which there are 100's) will have abot 10 mac addresses and the configs will be huge. what i want is to be able to do a sticky mac command for each interface allowing 1 address but to have a rule that lets all desktop pc's to connect to any port. A sort of bar all mac's apart from the 1 sticky learnt and any of the desktops team

Silver

Re: Switch Security

Hello,

I think your friend is the dot1x feature of IOS. You can centraly administer your MAC addresses in a Radius server, and only the valid users can use the internet. If the dot1x auth fail they can reach a restricted VLAN, same for the users who can't use dot1x they will be placed into a guest network.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/sw8021x.html

bye

FCS

Please rate me if I helped.

Re: Switch Security

hi,

configure port secuity aging with inactivity time of say 2 minutes. The support guys will have to wait 2 minutes before connecting the laptops.

thanks

John

Community Member

Re: Switch Security

Hi,

switchport mode access

switchport port-security

switchport port-security maximum 1

This on its own, will only allow one mac address per port, any mac address that is. So when the desktop is unplugged and the laptop pluged in to problem, but will still stop cam flooding, dhcp starvation attacks, and the introduction of switches and hubs.

You don't need todo sticky unless you only want specific mac appearing on specific ports.

Thanks

117
Views
0
Helpful
5
Replies
CreatePlease to create content