Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2733
Views
0
Helpful
4
Replies

Port Security between two switches using Trunk

Go to solution
ysanadiga01
Level 1
Level 1

‎09-03-2012 12:10 PM - edited ‎03-04-2019 05:27 PM

Hi there,

Is it possible to use Port Security mechanism between two switch (3750 or 3560) ports while trunk has been configured? If it's not possible, is there any other way to ensure that no other Switch can be connected other then the one switch which has been configured/placed by a network engineer?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Reza Sharifi

‎09-03-2012 12:45 PM

Hello ysanadiga01 and Reza,

Reza: Although the Port Security can be configured on trunk ports, I believe that the original poster is asking about a different issue - how to prevent an unauthorized switch to be connected to a network. Port Security is not the correct tool to be used here.  While Port Security is concerned with MAC addresses, the switch does  not alter the MAC addresses of frames passing through it. Regardless of the switch connected to the protected port, there  is nothing in the frames that could help identify if the connected  switch is authorized or not.

You could theoretically do 802.1X authentication, with one switch authenticating to the  other. Cisco calls this feature NEAT. I have a feeling that the MACsec could also help here although I  am not quite sure about it as I have not had yet the opportunity to play with that.

Regarding the switch authenticating itself to another via NEAT 802.1X, this is the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1473337

Best regards,

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎09-03-2012 12:24 PM

Hi,

Yes, it could be enabled on trunk ports

from the config guide:

Port Security Configuration Guidelines

Follow these guidelines when configuring port security:

Port security can only be configured on static access ports or trunk ports. A secure port cannot be a dynamic access port.

A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.

Config guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swtrafc.html#wp1038546

HTH

0 Helpful

Go to solution
ysanadiga01
Level 1
Level 1
In response to Reza Sharifi

‎09-03-2012 12:44 PM

Hi Reza,

Thanks for your answer.

I did read that guide but I'm getting an error.

I got two switches, both of them 3560. VTP is running between the switches and 5 vlans have been configured. There is a trunk configured between the switches on port 1 of both switches. Clients are connected on other ports.

How you would configure port security on this trunk port? Everyday different clients with different mac addresses are connected on other ports.

I tried to configure port security with mac address sticky but after a few clients the trunk port is shutdown.

Thanks.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Reza Sharifi

‎09-03-2012 12:45 PM

Hello ysanadiga01 and Reza,

Reza: Although the Port Security can be configured on trunk ports, I believe that the original poster is asking about a different issue - how to prevent an unauthorized switch to be connected to a network. Port Security is not the correct tool to be used here.  While Port Security is concerned with MAC addresses, the switch does  not alter the MAC addresses of frames passing through it. Regardless of the switch connected to the protected port, there  is nothing in the frames that could help identify if the connected  switch is authorized or not.

You could theoretically do 802.1X authentication, with one switch authenticating to the  other. Cisco calls this feature NEAT. I have a feeling that the MACsec could also help here although I  am not quite sure about it as I have not had yet the opportunity to play with that.

Regarding the switch authenticating itself to another via NEAT 802.1X, this is the link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1473337

Best regards,

Peter

0 Helpful

Go to solution
ysanadiga01
Level 1
Level 1
In response to Peter Paluch

‎09-03-2012 01:13 PM

Hi peter,

Thanks for your answer. I think that I can solve my situation with NEAT

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents