topic Re: secure port in Network Security

secure port

juancarlosmartinez — Wed, 12 Jan 2022 17:19:24 GMT

Hi Guys,

I have a layer 2 Cisco switch 3850. I need to secure a device allowing only 2 devices to connect to the server.Can I do this config,

Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h
Switch(config-if)#switchport port-security sticky h.h.h
Switch(config-if)#switchport port-security sticky h.h.h

Thanks

Re: secure port

Rob Ingram — Wed, 12 Jan 2022 17:24:20 GMT

Hi @juancarlosmartinez yes, just change the maximum value according to how many MAC addresses you want to limit.

Port security will limit the number of devices connecting to the switchport, this won't limit the number of connections to a server.

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 17:31:34 GMT

Thanks Rob,

2 more questions,

if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security

Re: secure port

Rob Ingram — Wed, 12 Jan 2022 17:51:11 GMT

@juancarlosmartinez you can just use "no switchport port-security mac-address <mac address>" and then add the new MAC. Use "show port-security address" to confirm the address is removed.

More information.

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html

Re: secure port

balaji.bandi — Wed, 12 Jan 2022 18:10:37 GMT

Switch(config)if)#switchport port-security maximum 3

yes the configuration allow 3 MAC address as per port config, Hope you are looking port connection limit not server connections like web server then that need to look different (not with this config).

if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security

i will default interface fa x/x and configure again. - so the configuration get in to defaults.

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 18:33:56 GMT

This is what I have now however why it said vlan access.

interface GigabitEthernet0/45
description server01
switchport access vlan X
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky H.H.H vlan access (why is this extra)
switchport port-security mac-address sticky H.H.H vlan access
switchport port-security mac-address H.H.H vlan access

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 18:34:08 GMT

Thanks BB

Re: secure port

Rob Ingram — Wed, 12 Jan 2022 18:39:48 GMT

@juancarlosmartinez it's added by default, that MAC address is in the data vlan. The other option would be "voice" instead of "access"

switchport port-security mac-address sticky [mac-address |vlan {vlan-id | {access | voice}}]

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 18:49:50 GMT

got it...thanks Rob

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 19:08:23 GMT

Rob,

question,

If a configure the port this way, I just protecting the server interface Correct?

Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h (server i/F)

Switch(config-if)# end

Re: secure port

Rob Ingram — Wed, 12 Jan 2022 19:25:18 GMT

@juancarlosmartinez you are only allow that MAC address connected to the switchport, so if that MAC address is the server, then yes, only that server MAC address can be plugged into that interface on the switch.

Re: secure port

juancarlosmartinez — Wed, 12 Jan 2022 21:25:00 GMT

Thanks so much Rob....