cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
5
Helpful
8
Replies

Help to implement port based security.

cutehameed
Beginner
Beginner

Hi folks,

I am a newbie to cisco and need help to implement port security. I have a unmanaged switch setup where users trying to plug-in wireless routers (d-link and tp-link) to get benefit of high bandwidth and i need to control this. After researching online and studying i have come up with cisco manageable switch 3750, 3560 or 2960 solution. 

I want to allow only certain range of IP's (or only few random IP's) with only limited MAC's per port. Kindly help me if commands i.e. port security are enough for my requirement or i have to apply some other command as well? I have a non-cisco DHCP server already installed.

1 Accepted Solution

Accepted Solutions

Yes. If you manually configure the MAC addresses in the port security configuration on the interface it will only allow those MAC addresses. If you just set a limit like "maximum 15" then it will allow just the first 15 to communicate and then shutdown the port once the 16th MAC came across the port.

 

-David

View solution in original post

8 Replies 8

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

Sure you can allow Port-security restirct device on the ports.

 

you can limit the MAC address

you can do sticky (only 1 MAC per port)

 

example guide :

 

https://community.cisco.com/t5/networking-documents/how-to-configure-port-security-on-cisco-catalyst-switches-that/ta-p/3132907

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

(For 3750, 3560 and 2960)

Can i allow multiple MAC addresses manually by entering (suppose) 15 MAC addresses on a port and port will not forward traffic to other than these 15 MAC addresses?

You can sticky MAC address or you can limit maximum mac address 15, after that port will be vilolated.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes. If you manually configure the MAC addresses in the port security configuration on the interface it will only allow those MAC addresses. If you just set a limit like "maximum 15" then it will allow just the first 15 to communicate and then shutdown the port once the 16th MAC came across the port.

 

-David

David Ruess
Rising star
Rising star

Hello,

 

Not sure on the statement "users plug-in wireless routers (d-link and tp-link) to get benefit of high bandwidth" when Wi-fi is half duplex and can only provide as much BW as the link its connected to i.e. a Gigabit port will only provide Gigabit BW and no more.

 

I would not allow more than 1 MAC per port unless specific circumstances dictate because they can plug in the Wifi device still and connect a few users to it until it fills up your MAC port limit.

 

To use port-security you "enable" it and then configure parameters on the port like the below:

 

conf t

int <interface-id or range>

switchport port-security

switchport port-security maximum 1

 

Each time a violation occurs of more than 1 MAC it will shut down the port. You will have to go in the switch and shutdown the port and re-enable it manually unless you configure errdisable recovery automatically (Quick google search should help) - When they call to report the port down that would also be a good time to educate uses on the dangers of plugging in unauthorized equipment and possibly develop a policy to improve your security posture.

 

Hope that helps

 

-David

users plug-in wireless routers (d-link and tp-link) to get benefit of high bandwidth

 

This means unknown users used wireless router to consume internet bandwidth of our network and i have to control internet bandwidth with cisco 3750, 3560 or 2960. I will monitor ports traffic via Cacti.

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

I am just thinking, if you want to limit the bandwidth used on each port, regardless of whether or not you use port security, you could use  srr queueing. Below is an example that would limit the amount of bandwidth used to 2 percent of 1000, which would be 20MB.

 

interface GigabitEthernet0/1
bandwidth 1000
srr-queue bandwidth limit 2

hi Georg Pauwen, thanks for reply

We have an data server in our network and users used to transfer data to that data server.

As per my understanding if i limit the port to (suppose) 2 percent of 1G Port their limit data transfer speed will definately take affect. What i want is, user can transfer data freely to my local server but they cannot exceed (suppose) 2mb internet bandwidth. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: