01-03-2008 12:31 AM - edited 03-09-2019 07:45 PM
Hi,
I'm trying to tie each interface down to 1 mac-address. The problem is our desktop team keep going out to site plugging in their laptops and the interface shutsdown. Is there anyway to manually type in their laptop mac's and tell the switch to allow any of these addresses.
Any help is appreciated
01-03-2008 02:14 AM
Swictch#(config-if)switchport mode access
Swictch#(config-if)switchport port-security
maximum (NUMBER-OF-ALLOWED-MAC-ADDRESSES)
Swictch#(config-if)switchport port-security mac-address MAC-ADDRESS-OF_LAPTOP
(copy command and add a different address)
Swictch#(config-if)no shutdown
You could also set the switched to automatically re-enable after a secuirty violation such as port-security mac-address maximum. You can set it to recover after a number of seconds, 10 minutes or even a day. You may wish to do that in case another uses puts a device where the MAC address has not yet been recorded, onto the port.
01-03-2008 05:45 AM
the only problem with that is that every interface throughout the network (which there are 100's) will have abot 10 mac addresses and the configs will be huge. what i want is to be able to do a sticky mac command for each interface allowing 1 address but to have a rule that lets all desktop pc's to connect to any port. A sort of bar all mac's apart from the 1 sticky learnt and any of the desktops team
01-03-2008 06:41 AM
Hello,
I think your friend is the dot1x feature of IOS. You can centraly administer your MAC addresses in a Radius server, and only the valid users can use the internet. If the dot1x auth fail they can reach a restricted VLAN, same for the users who can't use dot1x they will be placed into a guest network.
bye
FCS
Please rate me if I helped.
01-05-2008 12:49 AM
hi,
configure port secuity aging with inactivity time of say 2 minutes. The support guys will have to wait 2 minutes before connecting the laptops.
thanks
John
01-08-2008 09:16 AM
Hi,
switchport mode access
switchport port-security
switchport port-security maximum 1
This on its own, will only allow one mac address per port, any mac address that is. So when the desktop is unplugged and the laptop pluged in to problem, but will still stop cam flooding, dhcp starvation attacks, and the introduction of switches and hubs.
You don't need todo sticky unless you only want specific mac appearing on specific ports.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide