Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port security issue on an SF300

Hi everybody,

We recently purchased a new SF300, the main goal was using the port security option as a NAC.

I was expecting to be able to define a list of authorized MAC addresses, but unfortunately it's not the case.

I used port security on "Classic Lock".

knowing that I can't have all computers being connected at the same time (because of displacement), when someone to be authorized is here I'm forced to disable the security so that the switch can learn his MAC address,

the problem is that when I do it, MAC addresses that are already learnt are forgotten if are disconnected from the LAN and when someone changes his position in the LAN, he's blocked from accessing the network.

I recall that my goal is to give access to the network based on the MAC address or the domain name (Authorize computers part of OurDoamin.com).

N.B: In our architecture each room has a small switch and those switches are connected the "central one" which is the Cisco SF300.

Thank you.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Green

Port security issue on an SF300

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).

I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
4 REPLIES
Green

Port security issue on an SF300

Hi Endless,

Here are 2 documents about port security

https://supportforums.cisco.com/docs/DOC-27753

https://supportforums.cisco.com/docs/DOC-27720

Additionally you may use Dynamic ARP inspection if you want to make a global list of IP to mac and anything not contained within the lists gets shut down.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Community Member

Port security issue on an SF300

Hi Tom

Thank you for the answer, I'm going to try it and mark it answered if this works for me.

Isn't there any way to give the switch a list of MAC addresses to be authorized in all ports, because we have laptops that change the place (Ex Meeting room) and block anything else ?

Green

Port security issue on an SF300

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).

I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Community Member

Port security issue on an SF300

Thank you verry much Tom for your great support, I will try Dynamic Arp Inspection after some training.

1055
Views
5
Helpful
4
Replies
CreatePlease to create content