Solved: Re: ISE Security Best Practices (Hardening)

ahmed.alshawaff · ‎02-09-2019

I had problem with port security I configured port security for interface has 2 devices connected (ipphone+ pc) , Ip phone is working fine but pc is restricted and couldn't get an IP address

this is my configuration for the port : interface GigabitEthernet1/0/3
switchport access vlan 234
switchport mode access
switchport voice vlan 245
switchport port-security maximum 4
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.1d7e.5931
switchport port-security mac-address sticky 6899.cd84.e97a vlan voice

-----------------------------------------

sh port-security int g1/0/3
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 0024.1d7e.5931:234
Security Violation Count   : 0

balaji.bandi · ‎02-10-2019

here is working for config from switch : (changed only VLAN and your MAC)

switchport access vlan 234
switchport mode access
switchport voice vlan 245
switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.1d7e.5931 <-- check the MAC Address again
switchport port-security mac-address sticky 6899.cd84.e97a vlan voice <-- check the MAC Address again

spanning-tree portfast

Let me know how it goes ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Georg Pauwen · ‎02-10-2019

Hello,

what platform is this on ?

What if you configure:

switchport port-security mac-address sticky 0024.1d7e.5931 vlan access

balaji.bandi · ‎02-10-2019

here is working for config from switch : (changed only VLAN and your MAC)

switchport access vlan 234
switchport mode access
switchport voice vlan 245
switchport port-security maximum 4

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.1d7e.5931 <-- check the MAC Address again
switchport port-security mac-address sticky 6899.cd84.e97a vlan voice <-- check the MAC Address again

spanning-tree portfast

Let me know how it goes ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahmed.alshawaff · ‎02-10-2019

problem is solved really appreciate your help .

I just want to ask what if I add maximum 2 ? as I need to restrict two devices only to connect on this interface

Jurgens L · ‎02-11-2019

The problem you normally have when having a maximum of 2 is that the phone got two ethernet ports, so you actually have three mac addresses if you count your PC into the equation.

<<< Please help the community by marking useful posts helpful, or accept as a solution if it resolved your issue >>>

ahmed.alshawaff · ‎02-11-2019

Therefore, if I add maximum three it will be applicable ?

balaji.bandi · ‎02-11-2019

yes that do the job, any way even you allow more, you are already using Sticky with MAC address.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahmed.alshawaff · ‎02-12-2019

I'm little confused about this issue: if I sticky 2 mac address for example but maximum is 4 , that's mean if user connect addition device it will be allowed ?