Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
315
Views
0
Helpful
7
Replies
Highlighted
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-09-2019 10:18 PM
‎02-09-2019 10:18 PM

ISE Security Best Practices (Hardening)

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

 

this is my configuration for the port : interface GigabitEthernet1/0/3
 switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

 

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Advocate balaji.bandi VIP Advocate
VIP Advocate
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
7 REPLIES 7
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎02-10-2019 02:29 AM
‎02-10-2019 02:29 AM

Re: ISE Security Best Practices (Hardening)

Hello,

 

what platform is this on ?

 

What if you configure:

 

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

0 Helpful
Reply
balaji.bandi
VIP Advocate balaji.bandi VIP Advocate
VIP Advocate
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-10-2019 11:55 PM
‎02-10-2019 11:55 PM

Re: ISE Security Best Practices (Hardening)

problem is solved really appreciate your help .

 

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

0 Helpful
Reply
Jurgens Lombard
Jurgens Lombard Beginner
Beginner
‎02-11-2019 01:39 AM
‎02-11-2019 01:39 AM

Re: ISE Security Best Practices (Hardening)

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.


<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-11-2019 02:55 AM
‎02-11-2019 02:55 AM

Re: ISE Security Best Practices (Hardening)

Therefore, if I add maximum three it will be applicable ?

0 Helpful
Reply
balaji.bandi
VIP Advocate balaji.bandi VIP Advocate
VIP Advocate
‎02-11-2019 04:23 AM
‎02-11-2019 04:23 AM

Re: ISE Security Best Practices (Hardening)

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-12-2019 01:21 AM
‎02-12-2019 01:21 AM

Re: ISE Security Best Practices (Hardening)

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?

0 Helpful
Reply
Latest Contents
Briefing: Wi-Fi 6 and the Next Generation of Access
Created by hcaldwel on 04-18-2019 08:09 AM
0
0
0
0
Register now Learn about the new 9115/9117/9120 Wi-Fi 6 AP's and what they mean for the next generation of wireless access. Will focus on the new features in Wi-Fi 6 like OFDMA, BSS Coloring, MU-MIMO, RF Fingerprinting, and more and how this helps create ... view more
CiscoChat Podcast - Securing the Cloud Edge
Created by Kelli Glass on 04-16-2019 03:48 PM
0
0
0
0
Recorded Live at Cisco Partner Summit 2019!The Cloud Edge—the intersection of the network, cloud, and security–is where businesses face the greatest security risks, inconsistent application performance, and increasing complexity. Organizations need a comp... view more
#CiscoChat Podcast - Cisco DNA Center Assurance
Created by Kelli Glass on 04-16-2019 02:29 PM
0
0
0
0
Recorded live at Cisco Live U.S. 2018Cisco DNA Center was introduced as a seamless tool for network automation, including everything from designing your network, setting up application policies and provisioning features like software-defined access. But h... view more
Cisco IP Phones failed to get IP from the DHCP server
Created by Sarav on 04-15-2019 06:48 AM
0
0
0
0
 Symptoms Cisco IP Phones failed to get IP from the DHCP server. Diagnosis The DHCP scope configured on the Windows server is as below for the Cisco IP Phones.IP Range: 10.136.x.x to 10.136.x.xRouter: 10.136.y.zDNS Servers: a.b.c.dDNS ... view more
Cisco SD-Access for Distributed Campus with IP as a Transit
Created by dbellamk on 04-11-2019 06:45 PM
0
0
0
0
  Introduction Cisco DNA Center gives us the flexibility to configure multiple fabric sites and connect them using different Transits. In this paper, we are going to talk about how we can connect multiple fabric sites using IP as a transit and how c... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Spotlight awards-March 2019