Re: security

mcmillan_jared · ‎06-23-2005

i know that there are some security guru's out there. Here's what i need i'm running 4-5 different (CELLS) all connected through a fiber backbone and have several people who like to jump around from room to room and change their workstation ports to what ever they like that day. i need to stop it. i've looked into using port security but am not getting the desirable results. wondering if anyone can think of something that might work other than cutting off fingers. by the way i am not able to lock it all up in racks just yet (near future).

Georg Pauwen · ‎06-23-2005

Hello,

how did you implement port security ? In general, it would be a good tool to prevent your users from accessing unauthorized ports.

You could also try to blackhole traffic on your switches by creating static MAC address entries (which take precedence over dynamic entries). Let´s say on Switch X, you would not want MAC address XYZ to be able to connect to anything, you would add the following to your switch configuration:

mac-address-table static 0020.2345.3457 vlan 2 interface GigabitEthernet0/2

The interface (GigabitEthernet0/2 in this example) would be an unused interface, effectively dropping all traffic for that MAC address...

HTH,

GP

mcmillan_jared · ‎06-24-2005

i set up port security on one of the switchs but i cant seem to get the mac's from dynamic to static or get the switch to give me the security violation results. i've configured the switch step-by-step from everything i've been able to find on the site but i think i've over thought it and am missing something really simple

peterledwidge · ‎06-24-2005

While port security is an excellent suggestion.

Is it possible to disable/shutdown the switch ports you don't use?

mcmillan_jared · ‎06-24-2005

i can shut down the ports not in use but my big problem is the other people switching ports on me and i've been instructed to make that impossable for them.

Georg Pauwen · ‎06-24-2005

Hello,

check if you have had your port security configured as in the example below. The default violation mode is 'shutdown' ("in this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter"):

Switch(config)# interface fastethernet0/7

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security mac-address 0080.3456.6745

With this configuration, only the machine with the specified MAC address would be able to access the port

Regards,

GP

mcmillan_jared · ‎06-24-2005

here is the config file. what type of traffic will set off the violation? i can switch int 0/1 and 2 around and ping between the computers but it doesnt set off the violation. also if i do a show mac-add table it shows all the macs as dynamic. am i missing something?

peterledwidge · ‎06-24-2005

Think you need the following in your config

interface GigabitEthernet0/2

switchport mode access

switchport port-security

*switchport port-security max 1

*switchport port-security violation shutdown

switchport port-security mac-address 0011.431f.4130

max 1 is the allowed MAC Addresses you can see on the interface and next is the violation action.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00803fb0d1.html#wp1038546

HTH

mcmillan_jared · ‎06-24-2005

i have issued those commands and those are the default values so either way they would have been in there.

mcmillan_jared · ‎06-24-2005

ok everyone thanx a ton for all your help. i finally after 3 days gor it to work right. not sure exactly what is was i was doing wrong but to the best of my knowledge i think it was the fact that i had the workstations plugged in when i was configuring the ports. all i did was unplug everything then write the config file and plug everything back in now when i switch a port to try to get a security violation it works. thanks again