Cisco Community
English
Register
See the latest announcements from Cisco Live US 2019
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
0
Helpful
7
Replies
Highlighted
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-09-2019 10:18 PM
‎02-09-2019 10:18 PM

ISE Security Best Practices (Hardening)

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

 

this is my configuration for the port : interface GigabitEthernet1/0/3
 switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

 

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
7 REPLIES 7
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎02-10-2019 02:29 AM
‎02-10-2019 02:29 AM

Re: ISE Security Best Practices (Hardening)

Hello,

 

what platform is this on ?

 

What if you configure:

 

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

0 Helpful
Reply
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-10-2019 11:55 PM
‎02-10-2019 11:55 PM

Re: ISE Security Best Practices (Hardening)

problem is solved really appreciate your help .

 

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

0 Helpful
Reply
Jurgens Lombard
Jurgens Lombard Participant
Participant
‎02-11-2019 01:39 AM
‎02-11-2019 01:39 AM

Re: ISE Security Best Practices (Hardening)

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.


<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-11-2019 02:55 AM
‎02-11-2019 02:55 AM

Re: ISE Security Best Practices (Hardening)

Therefore, if I add maximum three it will be applicable ?

0 Helpful
Reply
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-11-2019 04:23 AM
‎02-11-2019 04:23 AM

Re: ISE Security Best Practices (Hardening)

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-12-2019 01:21 AM
‎02-12-2019 01:21 AM

Re: ISE Security Best Practices (Hardening)

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?

0 Helpful
Reply
Latest Contents
Issue: Switch Cissco 4500 automatic reboot
Created by hannv3001 on 06-16-2019 09:31 PM
0
0
0
0
Hi Cisco Team.I have issue with Catalyst 4500 device, it is automatin reboot while use.I sent to team some information this device Version: Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK... view more
Enabling Intelligence at Edge with Catalyst 9000 series swit...
Created by surraju on 06-12-2019 06:26 PM
0
0
0
0
The network is growing and how! Data is being generated at such an exponential rate. An IDC report states that data will grow to 175 Zettabytes by 2025. With such an explosion, enterprises cannot keep sending all the incoming data directly to the cloud. T... view more
%ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Inter...
Created by Tkna on 06-12-2019 10:18 AM
1
0
1
0
%ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/6: Power given, but Power Controller does not report Power Good we are getting this error after we upgrade our ios from 12.2(55)SE to 152-2.E9 on the 2960s ( WS-C2960S-48LPS-... view more
Multicast Reachability
Created by teegeorg on 06-11-2019 01:59 AM
0
0
0
0
Description of the issue Multicast Receivers are unable to receive traffic initiated by the Multicast source. Verify if your device configuration matches the following configuration. ##### FE1  ########ip routingip multicast-routing vrf Engineering... view more
Troubleshooting issues related to route distribution between...
Created by teegeorg on 06-11-2019 01:45 AM
0
0
0
0
Description of the issue and topology External Host or Server reachability from Fabric host DHCP IP assignment failure Topology Control Plane and Fabric Border are non-colocated Configurations Core: router ospf 10router-id 71.0.0.1network 50.0.0.0 0.25... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad