Cisco Community
English
Register
Speak French? Now you can ask your questions in the new French Community! CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
7
Replies
Highlighted
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-09-2019 10:18 PM
‎02-09-2019 10:18 PM

ISE Security Best Practices (Hardening)

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

 

this is my configuration for the port : interface GigabitEthernet1/0/3
 switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

 

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
7 REPLIES 7
Georg Pauwen
VIP Mentor Georg Pauwen VIP Mentor
VIP Mentor
‎02-10-2019 02:29 AM
‎02-10-2019 02:29 AM

Re: ISE Security Best Practices (Hardening)

Hello,

 

what platform is this on ?

 

What if you configure:

 

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

0 Helpful
Reply
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-10-2019 02:44 AM
‎02-10-2019 02:44 AM

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-10-2019 11:55 PM
‎02-10-2019 11:55 PM

Re: ISE Security Best Practices (Hardening)

problem is solved really appreciate your help .

 

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

0 Helpful
Reply
Jurgens Lombard
Jurgens Lombard Participant
Participant
‎02-11-2019 01:39 AM
‎02-11-2019 01:39 AM

Re: ISE Security Best Practices (Hardening)

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.


<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-11-2019 02:55 AM
‎02-11-2019 02:55 AM

Re: ISE Security Best Practices (Hardening)

Therefore, if I add maximum three it will be applicable ?

0 Helpful
Reply
balaji.bandi
VIP Advisor balaji.bandi VIP Advisor
VIP Advisor
‎02-11-2019 04:23 AM
‎02-11-2019 04:23 AM

Re: ISE Security Best Practices (Hardening)

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
ahmed.alshawaff
ahmed.alshawaff Beginner
Beginner
‎02-12-2019 01:21 AM
‎02-12-2019 01:21 AM

Re: ISE Security Best Practices (Hardening)

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?

0 Helpful
Reply
Latest Contents
Cisco SD-Access Integration with Cisco ACI
Created by dbellamk on 08-16-2019 12:09 PM
0
0
0
0
OverviewCisco SDA Overview:Cisco ACI Overview:How the Integration works:Configuration:Topology:Cisco DNAC to ISE Integration:Cisco ISE to ACI Integration:Verification:Policy Enforcement in ACI Domain:Policy Enforcement in Cisco SD-Access Domain:   &n... view more
Under the Hood: Unveiling the next gen campus core architect...
Created by klei on 08-15-2019 07:43 AM
0
10
0
10
The long-awaited Cisco Catalyst 9600 Series switches are now here.  As foundational building blocks for the Cisco Digital Network Architecture, Catalyst 9600 Series switches help customers simplify complexity, optimize IT, and reduce operational cost... view more
5-min Survey - Tell us what devices you use when using your ...
Created by betswang on 08-13-2019 05:17 PM
0
0
0
0
Inviting all Network professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network management tools.   Click here to take the 5-minute survey: http://cs.co/9009E28lV ... view more
5-Minute Network Management Survey
Created by Hannah Faye Chua on 08-08-2019 06:18 PM
0
0
0
0
Calling Cisco Customers who manage networks in your companies We have a quick 5-minute survey for you to complete. Your response will help Cisco improve a product feature that could benefit you.   Click here now: http://cs.co/9002E0kjC &nb... view more
Unleashing the power of Catalyst 9000 Series switches with o...
Created by jayshar on 08-08-2019 11:27 AM
2
5
2
5
Since the last blog on IOS-XE release, there has been a standard maintenance release which was followed by the recently published Extended Maintenance Release(EMR) and the last release on the 16.x train, IOS-XE 16.12.1. With this being an EMR release, it ... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
July's Community Spotlight Awards