Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6006
Views
3
Helpful
4
Replies

Best port-security mac-address option

cooperben
Level 1
Level 1

‎03-24-2010 12:44 PM - edited ‎03-06-2019 10:18 AM

We have 3750G stacks that were recently configured with port-security mac-address sticky on all access ports.  A good question was raised about whether this is the best or not for our needs, seeing as half of our users use laptops/docking stations.  We need these users to have mobility around the office, e.g. undocking their laptop and bringing it to the conference room to use for a presentation.  I've read the manual about how to configure these things, but am not sure what the best strategy/practice is.

So, to allow this mobilty but still use port-security, is using the sticky command a good idea?  Or would that be best served for static things like desktops and printers, etc?  Is there a global command that can be issued to allow secure MAC addresses to move between ports on the stack?  If sticky isn't the thing to use, what is?  Maybe just a simple config on each laptop port such as:

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security aging time 60

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-25-2010 12:11 AM 

We have 3750G stacks that were recently configured with port-security mac-address sticky
on all access ports.  A good question was raised about whether this is
the best or not for our needs, seeing as half of our users use
laptops/docking stations.  We need these users to have mobility around
the office, e.g. undocking their laptop and bringing it to the
conference room to use for a presentation.  I've read the manual about
how to configure these things, but am not sure what the best
strategy/practice is.
So, to allow this mobilty but still use port-security, is using the sticky
command a good idea?  Or would that be best served for static things
like desktops and printers, etc?  Is there a global command that can be
issued to allow secure MAC addresses to move between ports on the
stack?  If sticky isn't the thing to use, what is?  Maybe just a simple
config on each laptop port such as:
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security aging time 60

Hi,

Normal recommendation to  turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected).  The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.

switchport port-security mac-address sticky – turns on the sticky MAC feature

After enabling, you will notice the currently connected MAC address(es) will appear in the running config: This will stay in the config until the switch is rebooted, so it’s important to write the config.

When you use sticky MAC addresses you'll want to make sure that the MAC addresses are cleared off of a switch when a device is moved. Just for example situation can happen like this if stick mac is enabled,laptop that was moved from one client location to another and one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged to the new switch.  This created a situation where some network traffic was reaching the laptop and some was going into a black hole.  After clearing the the sticky MAC addresses on the old switch the problem was resolved.

Hope to help !!

Remember to rate the helpful post

Ganesh.H

cooperben
Level 1
Level 1
In response to Ganesh Hariharan

‎03-29-2010 07:37 AM

Thank you.  It appears that dynamic MAC-security is what;s best for all devices that need to be mobile.  We've gone ahead with these changes.  As for printers, desktops, and other stationary devices, we have enabled sticky on those ports.

0 Helpful

GEORGE PATRICK MCMENAMIN
Level 1
Level 1
In response to Ganesh Hariharan

‎01-08-2013 11:22 AM

Ganesh

I like your explanation that " one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged to the new switch."

I was wondering if having a port-security aging time that was too long might result in a similar experience. We have deployed C4510R+E switches in our IDF's with an aging time of 1400 on each port. I have noticed that occasionally when a device, say a phone or a laptop, is moved to a new location it fails to grab an IP address. The phone may even fail to get POE. I discoverd that if I clear the mac-address table on the original port it clears up the issue. I would like to suggest to our network team a shorter aging time but before I do that based soley on my observations I'd like to know your thoughts on the matter.

Thanks

George

0 Helpful

Elton Babcock
Level 1
Level 1

‎01-08-2013 01:22 PM

Another possibility is utilizing 802.1x on your switch ports.

Obviously this does require some back end servers for RADIUS or LDAP queries but it can be another way that you can ensure only devices you want on your network go on your network.

Elton

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card