Solved: Re: secure port

juancarlosmartinez · ‎01-12-2022

Hi Guys,

I have a layer 2 Cisco switch 3850. I need to secure a device allowing only 2 devices to connect to the server.Can I do this config,

Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h
Switch(config-if)#switchport port-security sticky h.h.h
Switch(config-if)#switchport port-security sticky h.h.h

Thanks

Rob Ingram · ‎01-12-2022

@juancarlosmartinez you are only allow that MAC address connected to the switchport, so if that MAC address is the server, then yes, only that server MAC address can be plugged into that interface on the switch.

View solution in original post

Rob Ingram · ‎01-12-2022

Hi @juancarlosmartinez yes, just change the maximum value according to how many MAC addresses you want to limit.

Port security will limit the number of devices connecting to the switchport, this won't limit the number of connections to a server.

juancarlosmartinez · ‎01-12-2022

Thanks Rob,

2 more questions,

if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security

Rob Ingram · ‎01-12-2022

@juancarlosmartinez you can just use "no switchport port-security mac-address <mac address>" and then add the new MAC. Use "show port-security address" to confirm the address is removed.

More information.

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011111.html

juancarlosmartinez · ‎01-12-2022

This is what I have now however why it said vlan access.

interface GigabitEthernet0/45
description server01
switchport access vlan X
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky H.H.H vlan access (why is this extra)
switchport port-security mac-address sticky H.H.H vlan access
switchport port-security mac-address H.H.H vlan access

Rob Ingram · ‎01-12-2022

@juancarlosmartinez it's added by default, that MAC address is in the data vlan. The other option would be "voice" instead of "access"

switchport port-security mac-address sticky [mac-address |vlan {vlan-id | {access | voice}}]

juancarlosmartinez · ‎01-12-2022

got it...thanks Rob

juancarlosmartinez · ‎01-12-2022

Rob,

question,

If a configure the port this way, I just protecting the server interface Correct?

Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h (server i/F)

Switch(config-if)# end

Rob Ingram · ‎01-12-2022

@juancarlosmartinez you are only allow that MAC address connected to the switchport, so if that MAC address is the server, then yes, only that server MAC address can be plugged into that interface on the switch.

juancarlosmartinez · ‎01-12-2022

Thanks so much Rob....

balaji.bandi · ‎01-12-2022

Switch(config)if)#switchport port-security maximum 3

yes the configuration allow 3 MAC address as per port config, Hope you are looking port connection limit not server connections like web server then that need to look different (not with this config).

if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security

i will default interface fa x/x and configure again. - so the configuration get in to defaults.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

juancarlosmartinez · ‎01-12-2022

Thanks BB