- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 09:19 AM
Hi Guys,
I have a layer 2 Cisco switch 3850. I need to secure a device allowing only 2 devices to connect to the server.Can I do this config,
Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h
Switch(config-if)#switchport port-security sticky h.h.h
Switch(config-if)#switchport port-security sticky h.h.h
Thanks
Solved! Go to Solution.
- Labels:
-
Other Network Security Topics
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 11:25 AM
@juancarlosmartinez you are only allow that MAC address connected to the switchport, so if that MAC address is the server, then yes, only that server MAC address can be plugged into that interface on the switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 09:24 AM
Hi @juancarlosmartinez yes, just change the maximum value according to how many MAC addresses you want to limit.
Port security will limit the number of devices connecting to the switchport, this won't limit the number of connections to a server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 09:31 AM
Thanks Rob,
2 more questions,
if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 09:51 AM
@juancarlosmartinez you can just use "no switchport port-security mac-address <mac address>" and then add the new MAC. Use "show port-security address" to confirm the address is removed.
More information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 10:33 AM
This is what I have now however why it said vlan access.
interface GigabitEthernet0/45
description server01
switchport access vlan X
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky H.H.H vlan access (why is this extra)
switchport port-security mac-address sticky H.H.H vlan access
switchport port-security mac-address H.H.H vlan access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 10:39 AM
@juancarlosmartinez it's added by default, that MAC address is in the data vlan. The other option would be "voice" instead of "access"
switchport port-security mac-address sticky [mac-address |vlan {vlan-id | {access | voice}}]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 10:49 AM
got it...thanks Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 11:08 AM
Rob,
question,
If a configure the port this way, I just protecting the server interface Correct?
Switch(config)#interface fa x/x
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security mac-address h.h.h (server i/F)
Switch(config-if)# end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 11:25 AM
@juancarlosmartinez you are only allow that MAC address connected to the switchport, so if that MAC address is the server, then yes, only that server MAC address can be plugged into that interface on the switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 01:25 PM
Thanks so much Rob....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 10:10 AM
Switch(config)if)#switchport port-security maximum 3
yes the configuration allow 3 MAC address as per port config, Hope you are looking port connection limit not server connections like web server then that need to look different (not with this config).
if I want to remove the above configuration or modify and add another MAC, I just do NO switchport port-security
i will default interface fa x/x and configure again. - so the configuration get in to defaults.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2022 10:34 AM
Thanks BB
