Implementing port security

etegration · ‎01-23-2014

i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.

What are the recommended steps? All are connected with users and all ports are already in use.

- Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".

- It's tedious to go switch by switch, port by port

- Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

greyiago85 · ‎01-24-2014

What issue are these routers causing? Enabling BPDUGuard will protect the network and alert you to the presence of a hanging-on router.

etegration · ‎01-26-2014

thanks Richard, as there are indeed some users who are using approved switches, i can't use BPDUGuard unless i go port by port. i have added sticky mac address filtering and set maximum to 20 for a start and monitor them for 2 weeks.

After that 2 weeks, it will be quite safe to set the max mac address variable, depending on the number of mac to that number. It's more tedious but guess have to be for now.

devils_advocate · ‎01-27-2014

Do you make your users sign an IT Acceptable Policy because the root cause of this issue is people thinking its ok to plug random things into a network port?

Why do some of your ports need more than 3 MAC addresses?

Personally I would be enabling port security with a Maximum of 2-3 and configuring the violation setting to be Restrict which would still allow the original MAC addresses but then restrict any extra ones.

I would also be looking at DHCP Snooping and Dynamic ARP Inspection.

JohnTylerPearce · ‎01-27-2014

The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.

With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.

When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.

If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.

It sounds like you may have a hard time, since they don't seem to really care about security at this place.

Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

paul driver · ‎01-27-2014

Hello

Just like to add - I would personnaly NOT enable errdisable recovery on BPDUguard - if your receive these on an access ports- you dont want the switch to automatically be reneable before you investigate the issue, This could open you up to protential loops forming elsewhere also.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JohnTylerPearce · ‎01-27-2014

I agree pdriver. That was a mistake on my part. I'm too use to having to do that for Layer 8 issues......................