Locking down ports to only one mac address

kingstoc · ‎07-21-2004

Anyone know how to lock down a port so it only accepts traffic from one mac address.

Basically we are noticing that alot of our switches (both 3548s and 2950s) are being found to have hubs and other switches placed in one or two of their ports. This is causing network problems.

Any ideas?

davecs · ‎07-21-2004

hi,

commands are probably different on the different models:

2950 howto:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84c2.html#xtocid6

you can configure the port to either shutdown (admin override needed) or only accept traffic from the 1 mac address.

2nd option is more user friendly because if they break it they can plug the original equipment back in - but isn't not hard to fake a mac address once you know that port security is turned on!

cheers

dave

milan.kulik · ‎07-21-2004

Hi,

I'm afraid locking down a port so it only accepts traffic from one mac address is not the best way for illegal hub detecting.

It will prevent more than one PC from connecting to a port, but it will also bring you much work when users move from one port to another in a large network - you will have to clear or modify the MAC allowed on the port each time a PC moves.

There are some other tools how to detect suspicious (possible hub connected) ports on your switches:

CiscoWorks Campus Manager -> User Tracking -> Reports -> Ports with Multiple MAC, e.g.

Or SolarWinds Switch Port Mapper (cheaper one).

Or manually sh mac-address-table int ....

on any suspicious port.

Regards,

Milan

bdodd · ‎07-22-2004

Another option is to use spantree bpdu guard, works similarly to port security but will only shutdown a port if it detects BPDU's

http://cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

milan.kulik · ‎07-22-2004

Doesn't work with hubs nor cheap switches not running STP.

Regards,

Milan

kingstoc · ‎07-27-2004

Hi Milan

Thanks for your prompt reply. Surely when you apply port security to allow only one mac address per port, it doesn't adhere to the actuall mac address itself but the quantity.

In other words, surely you can keep removing and adding new devices to the port as long as you are not using two or more devices on that port.

Regards

Charlie

davecs · ‎07-27-2004

well really its not designed for that ... but what you CAN do is:

set the age for port security to the minumim (10 mins i think)

AND

change the "what to do" to restrict - which will let the "Secure" MAC address talk but not the insecure MAC address.

this will mean that the first person to transmit will become the only person allowed to use that port - up until the 10 min timer expires.

problems with this setup:

* your switch must support restrict mode and the age facility

* if you have two users and one unplugs their connection the other user must wait 10 mins before using the port...

cheers

dave

yantisj · ‎07-29-2004

Here's how we do it on our campus. This allows only one mac address per port, but you can still remove one device and add another (ie unplug the desktop and plug in a laptop). This seems to work very well for locking out cheap hubs and the like.

!2950

sh port-security - shows violations on different ports

sh port-security add - shows mac addresses associated with different ports

2950 interface config:

!

int fa0/1

switchport mode access

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

!