cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
319
Views
0
Helpful
7
Replies

ISE Security Best Practices (Hardening)

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

 

this is my configuration for the port : interface GigabitEthernet1/0/3
 switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

 

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***
7 REPLIES 7
VIP Mentor

Re: ISE Security Best Practices (Hardening)

Hello,

 

what platform is this on ?

 

What if you configure:

 

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

Highlighted
VIP Advocate

Re: ISE Security Best Practices (Hardening)

here is working for config from switch : (changed only VLAN and your MAC)

 

switchport access vlan 234
 switchport mode access
 switchport voice vlan 245
 switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0024.1d7e.5931  <-- check the MAC Address again
 switchport port-security mac-address sticky 6899.cd84.e97a vlan voice   <-- check the MAC Address again

spanning-tree portfast

 

Let me know how it goes ?

 

BB
*** Rate All Helpful Responses ***

Re: ISE Security Best Practices (Hardening)

problem is solved really appreciate your help .

 

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

Re: ISE Security Best Practices (Hardening)

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.


<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

Re: ISE Security Best Practices (Hardening)

Therefore, if I add maximum three it will be applicable ?

VIP Advocate

Re: ISE Security Best Practices (Hardening)

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB
*** Rate All Helpful Responses ***

Re: ISE Security Best Practices (Hardening)

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?

CreatePlease to create content
Content for Community-Ad