09-12-2013 04:04 AM
Hi everybody,
We recently purchased a new SF300, the main goal was using the port security option as a NAC.
I was expecting to be able to define a list of authorized MAC addresses, but unfortunately it's not the case.
I used port security on "Classic Lock".
knowing that I can't have all computers being connected at the same time (because of displacement), when someone to be authorized is here I'm forced to disable the security so that the switch can learn his MAC address,
the problem is that when I do it, MAC addresses that are already learnt are forgotten if are disconnected from the LAN and when someone changes his position in the LAN, he's blocked from accessing the network.
I recall that my goal is to give access to the network based on the MAC address or the domain name (Authorize computers part of OurDoamin.com).
N.B: In our architecture each room has a small switch and those switches are connected the "central one" which is the Cisco SF300.
Thank you.
Solved! Go to Solution.
09-13-2013 07:18 AM
Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).
I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.
-Tom
Please mark answered for helpful posts
09-12-2013 08:42 AM
Hi Endless,
Here are 2 documents about port security
https://supportforums.cisco.com/docs/DOC-27753
https://supportforums.cisco.com/docs/DOC-27720
Additionally you may use Dynamic ARP inspection if you want to make a global list of IP to mac and anything not contained within the lists gets shut down.
-Tom
Please mark answered for helpful posts
09-13-2013 01:49 AM
Hi Tom
Thank you for the answer, I'm going to try it and mark it answered if this works for me.
Isn't there any way to give the switch a list of MAC addresses to be authorized in all ports, because we have laptops that change the place (Ex Meeting room) and block anything else ?
09-13-2013 07:18 AM
Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).
I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.
-Tom
Please mark answered for helpful posts
09-16-2013 08:41 AM
Thank you verry much Tom for your great support, I will try Dynamic Arp Inspection after some training.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide