Allowing a desktop just to specific switch port

gnazer · ‎11-28-2012

Hello, I was wondring if there is a way to allow a specific desktop (mac) just in a specific port. Port Security did not work, if you change the desktop and not connect anything in the port with port security. Static Mac address neither worked.

Suggestions?

jonatrod · ‎11-29-2012

Good morning

Thanks for using our forum

Hi gnazer my name is Johnnatan and I am part of the Small business Support community, It´s going to be very useful if you told us your switch model, on that way we could give you a better help, for now, what I can say is that you probably misconfigured port-security, let me share some information about it

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=4&app=search&vw=1&articleid=85

And yes, there's another way to aunthenticate users, using a Radius server and the 802.1X Port Authentication protocol.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=4&app=search&vw=1&articleid=988

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

Cisco has a very useful tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1 = & pid = 4 & eroute = Super, is very easy to use, just complete the 3 spaces on this way:

Select a category: (Select the device type on request), e.g. Routers

Enter model: (Type the model on request), e.g. RV042

Question: (Type what you want to know about the device), e.g. VPN

And it'll be showing all the information you need about what you wrote.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

gnazer · ‎11-29-2012

Thnaks Jonathan, Sorry I forgot to mention the switche model, they are Catalyst 3750

jonatrod · ‎11-29-2012

Hi gnazer

Did you enable the port security features, with “switchport port-security”?, by the way, your interface configuration has to look moreless like this.

Int GIx/x

switchport port-security --> enable port security

switchport mode access --> Configures the port as access switchport

switchport access vlan (#) --> Number of the port vlan.

switchport port-security mac-address sticky --> Maps dinamically tha Mac-address

switchport port-security maximum {# } -->Limit the number of hosts per port

switchport port-security violation {protect | restrict | shutdown |shutdown vlan} -->Action at the port in case of a attempted of violation

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

gnazer · ‎11-30-2012

Thanks Again Jonathan, I had consider the options that you have suggested, but I should configure all switch ports in this way right? With all implicantions ragarding the administrative work.

I want that Workstation with Mac A just work isuccesfuly in port 1 (no other port)

If I configure JUST port 1 in this way, just the Workstation with the mac A could be connected in port 1.

If I connect Workstation Mac B in port 1 a violation will occur

If I connect Workstation A in port 2, connection will be successful (this is what I want to prevent)

jonatrod · ‎11-30-2012

Hi gnazer

What I recommend you is to statically assign each port with its respective MAC address of each computer, and turn off all unused ports.Let´s say you have a switch with four ports and you have three computers, and you want to each computer can access to one specific port.

Port 1 → Computer A

Port 2 → Computer B

Port 3 → Computer C

Port 4 → Not in use

A example configuration could be this one.

interface FastEthernet0/1

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address AAAA.AAAA.AAAA

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address BBBB.BBBB.BBBB

interface FastEthernet0/3

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address CCCC.CCCC.CCCC

interface FastEthernet0/4

switchport access vlan 10

switchport mode access

Shutdown

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.

Greetings,

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.

jw.sl9 · ‎12-04-2012

Cisco ACS or preferably Cisco ISE would be a better way to centrally manage this and also generate reporting in compliance and non-compliance.

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

jurodri3 · ‎11-29-2012

Hello Gnazer,

Thank you for posting, unfortunately the Cisco Support community is dedicate to Small business products

In order to get an accurate and quick answer egarding our Enterprice devices you can post under the Enterprise support forum or contact our support line at 1-800-553-6387.

Diego Rodriguez

Cisco network engineer

Thank you.