Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
3
Replies

Catalyst 2960 Port Security Configuration

ben.weber
Level 1
Level 1

‎02-20-2020 10:44 AM

I have a question about port security.  I am doing an assessment of a new network and ran across the following on one of the customer's switches:

 

interface FastEthernet0/4
description User Access Ports
switchport access vlan 20
switchport mode access
switchport voice vlan 10
switchport port-security maximum 12
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
ip dhcp snooping limit rate 100

 

I've only used port security to specify the MAC address(es) that can connect to a port, usually using sticky mode.  So this looks like a misconfiguration to me.  It looks like anyone could connect to this port but that the 13th node would be refused.

But am I missing something?  Would this configuration work for port security purposes?  Is this just some configuration example that I'm not familiar with?

 

Thanks,

 

Ben

1 person had this problem
Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎02-20-2020 10:57 AM - edited ‎02-20-2020 11:00 AM

You can have sticky to port, but 12 is too high, I generally go with 4-5 maximum, if you like to cut down, then 3 should be good.

 

Why 3 means, Phone can be fixed all the time, so 1 MAC address, user PC or Laptop (with a docking station, Laptop  can change) so another 2 MAC address.

 

if you know the end device, they fixed desktop no more changes, 2 should be too tight security with 2 MAC Address

switchport port-security maximum 2 ( i go with 3 for safe, or else you need to more admin task).

make sense?

 

 

here is reference if you like to know better :

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ben.weber
Level 1
Level 1
In response to balaji.bandi

‎02-20-2020 11:10 AM

Right, but remember my question is whether the above configuration would work, or if it's a misconfiguration.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ben.weber

‎02-20-2020 10:38 PM

The configuration works, there is no issue with config, I only offered to tight the security.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card