Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
3
Replies

Firewalls and port security on intermediate switch

Go to solution
Eric R. Jones
Level 4
Level 4

‎11-13-2015 04:53 PM - edited ‎03-11-2019 11:53 PM

Hello, we have setup 2 ASA 5585X Firewalls in a failover configuration.

These 2 Firewalls are connected to a single switch that provides us Mgt and Production access from the enclave.

How can we setup port security on their intermediate switch interfaces so that when the Firewalls failover port security violation won't trigger and block all traffic?

Should we:

A. Configure port security with a maximum number of MAC addressesto 2 or more?

B. Do not configure port security at all?

C. Some other method that we haven't thought of?

The reason why I'm asking is that it failed over and blocked traffic causing the 2 Firewalls to argue over who was primary and all traffic stopped flowing. 

ej

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-13-2015 05:12 PM

Personally I wouldn't bother configuring it because I can't see what it gives you.

Port security is a useful feature to stop end users from connecting another switch etc. to a port ie. where you don't necessarily have control over what is actually connected in.

Or to tie specific mac addresses to certain ports.

But I am assuming the switches your firewalls connect to are in a controlled environment and if so I can't see why you would need to use it.

Unless I am misunderstanding the question ?

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-13-2015 05:12 PM

Personally I wouldn't bother configuring it because I can't see what it gives you.

Port security is a useful feature to stop end users from connecting another switch etc. to a port ie. where you don't necessarily have control over what is actually connected in.

Or to tie specific mac addresses to certain ports.

But I am assuming the switches your firewalls connect to are in a controlled environment and if so I can't see why you would need to use it.

Unless I am misunderstanding the question ?

Jon

0 Helpful

Go to solution
Eric R. Jones
Level 4
Level 4
In response to Jon Marshall

‎11-22-2015 12:45 PM

Sorry for the late reply.

I was wondering why port security was on the switch and chalked it up to habit when creating switches for our environment.

It was in the template that got applied and not removed.

Since that switch is in a controlled location with limited access I couldn't see reason to have it on it on there.

Should anyone unauthorized to be in that space was there the least of our worries would be port security.

ej

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-14-2015 04:47 AM

You could set the max number of MAC to 2.  But I agree with Jon that it should not be necessary to put port security on ports going to the ASAs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card