Cisco Community
English
Register
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


156
Views
0
Helpful
7
Replies
Highlighted
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-09-2019 10:18 PM
‎02-09-2019 10:18 PM

ISE Security Best Practices (Hardening)

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

 

this is my configuration for the port : interface GigabitEthernet1/0/3
 switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

 

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Engager balaji.bandi VIP Engager
VIP Engager
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
7 REPLIES
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎02-10-2019 02:29 AM
‎02-10-2019 02:29 AM

Re: ISE Security Best Practices (Hardening)

Hello,

 

what platform is this on ?

 

What if you configure:

 

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

0 Helpful
Reply
balaji.bandi
VIP Engager balaji.bandi VIP Engager
VIP Engager
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-10-2019 11:55 PM
‎02-10-2019 11:55 PM

Re: ISE Security Best Practices (Hardening)

problem is solved really appreciate your help .

 

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

0 Helpful
Reply
Jurgens Lombard
Jurgens Lombard Beginner
Beginner
‎02-11-2019 01:39 AM
‎02-11-2019 01:39 AM

Re: ISE Security Best Practices (Hardening)

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.


<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-11-2019 02:55 AM
‎02-11-2019 02:55 AM

Re: ISE Security Best Practices (Hardening)

Therefore, if I add maximum three it will be applicable ?

0 Helpful
Reply
balaji.bandi
VIP Engager balaji.bandi VIP Engager
VIP Engager
‎02-11-2019 04:23 AM
‎02-11-2019 04:23 AM

Re: ISE Security Best Practices (Hardening)

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-12-2019 01:21 AM
‎02-12-2019 01:21 AM

Re: ISE Security Best Practices (Hardening)

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?

0 Helpful
Reply
Latest Contents
BGP Neighbors_CCNP
Created by Edgar c Francis on 02-16-2019 12:39 AM
0
0
0
0
  BGP NeighborsBGP neighbors are routers forming TCP connection for exchanging BGP updates it’s also called as BGP peers or BGP speakers.There are two types of BGP neighbor relationshipIBGP (internal BGP)EBGP (external BGP) BGP first forms ... view more
Introduction of BGP
Created by Edgar c Francis on 02-16-2019 12:10 AM
0
0
0
0
  Introduction of BGPBorder Gateway Protocol (BGP) advertises, learn, and choose the best paths inside the wide internet. When two ISPs connected, they typically use BGP to exchange routing information. The ISPs of the world wide exchange routin... view more
Using EEM to migrate static end device to a managed network
Created by Jurgens Lombard on 02-09-2019 06:20 PM
0
15
0
15
  I was involved with a network migration that made me look at using the power of EEM, below is a solution for anyone who may find themselves in a similar situation.   The Challange I was tasked to upgrade a legacy access layer of a network whi... view more
SVI routing not working cisco 3750
Created by urec on 02-08-2019 10:18 PM
9
0
9
0
Hi guys,I am stuck. I've spent 3 evenings trying to find out why my L3 routing not working on 3750.What I've done so far is:1. no ip routing and then ip routing2. write erase and reload, no ip routing-write erase-roload- ip routing3. shut no shut all resp... view more
Cisco DNA Center Content Customized Just For You
Created by ashherri on 02-08-2019 02:31 PM
0
0
0
0
If you own Cisco DNA Center, then we've got some great news for you! Log in to the Cisco DNA Center product page on Cisco.com and you'll be able view personalized support resources just for you! From guides, demo videos, training resources to contract d... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Blog-Cisco Community Designated VIP Dinner CLEUR2019