Cisco 2950/ VLAN/Management port security

victori77 · ‎06-19-2007

I have a cisco 2950 sw and it is our redzone sw for outbound access. I created a seperate VLAN for fa0/1(my management port) and I'm not sure if this is the most secure way of doing it. Also, when I plug my management port in to another switch it builds it mac address table with other mac addresses which I do not want.Is this something that I can disbale? Any help would be appreciated.

Thanks

lgontarsk · ‎06-21-2007

If I'm interpreting you correctly... you have 2 separate issues here.

1a) your management port - you can set up port security on the port that you will connect into your switch from, if you connect directly in. That would involve configuring port-security.

1b) if you don't connect physically into a port on your switch, you would be talking about creating a telnet access-list which would limit which ip addresses can telnet into that switch for managment purporses. That would be an access-list which is configured, in addition to a statment under lines vty 0 4 (the lines which you telnet into) tying that access-list into the telnet ports.

So you can do layer 2 security - via port-security- or layer 3 security - via an access-list.

2) Re the switch building its forwarding table - You cannot stop a switch from learning mac addresses from another switch - that's the switches' job in life. you can't disable it. If you stop the switch from building its mac-address-table, it would flood packets for ANY destination out each and every port... because it would never learn which mac-addresses live on the switch that it is connected to.