01-31-2015 11:00 PM - edited 03-07-2019 10:27 PM
Hello,
I have enabled port security on switches with below configuration. I connected guest laptop in switch A and completed my job and kept my laptop in IT cupboard. After 10 days I took the guest laptop and try to connect on switch B in same vlan, the laptop is restricted to access by port violation.
I tried searching by the command sh mac address-table address XXXX.44eb.XXXX on switch B but I didn't found the mac address but luckily I remember that I have connected on switch A on port 20 so I removed the mac from the running configuration and I was able to get access on switch B.
so this is very difficult to search a mac address when I have a 100 switches if I would have not remember than it was a big mess for me, Is it the below correct way of configuring the port -security on the switches when I have a IP phones in the network.
interface GigabitEthernet2/0/14
switchport access vlan 31
switchport mode access
switchport voice vlan 30
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
switchport port-security
storm-control broadcast level 20.00
storm-control multicast level 20.00
spanning-tree portfast
spanning-tree bpduguard enable
switch B# sh mac address-table address XXXX.44eb.XXXX
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Solved! Go to Solution.
02-03-2015 11:00 AM
Dear Jon,
OK understood,
Here are scenarios thoughts please correct me
when 802.1X configured an outsider pc or laptop connected to network will not get access becz his domain will be different and the request will not hit to authenticate on the ACS--->domain controller it will authenticate locally in his pc and he will not be given an ip address (Access)
so i think no need to authenticate MAC Address , when username/password authentication request will hit to AD,, user will be authenticated and he will be given access.
thanks
02-03-2015 11:25 AM
Okay, i just reread your post and i think i see what you mean.
You mean because the user is not in the domain and the ACS server uses AD for the user credentials then it won't work.
Basically yes but isn't that what you want ie. if the authentication for the user fails then there is no access to the network.
There is no local authentication done between the user and the switch ie. if the authentication using the ACS server fails that's it.
Jon
02-03-2015 11:26 AM
when 802.1X configured an outsider pc or laptop connected to network will not get access becz his domain will be different and the request will not hit to authenticate on the ACS--->domain controller it will authenticate locally in his pc and he will not be given an ip address (Access)
Are you talking about user authentication here ?
If so it has nothing to do with the domain being different.
The switch authenticates the user. The users presents their credentials (whatever they are) and the switch relays this to the ACS server. The ACS server may have a local database but more likely it uses AD if that is what you have.
If the authentication is successful the port stays up and then the machines can get an IP address etc.
If it isn't the port is disabled and the machine has no access to the network.
This would happen even if the user configured their own IP address.
Jon
02-03-2015 11:40 AM
Dear Jon
+5 for you again.
This would happen even if the user configured their own IP address.
The above means as below
A pc with static ip address configured if connected to the port if it authenticates to the ACS --->AD it will be given access and it fails authentication then port will disabled.
thanks
02-03-2015 12:03 PM
A pc with static ip address configured if connected to the port if it authenticates to the ACS --->AD it will be given access and it fails authentication then port will disabled.
Exactly.
The authentication is about whether the port is enabled or not, everything else happens after that has been decided.
Which I think is what you are looking for.
Jon
02-03-2015 12:13 PM
Thanks dear
Good chain of replies from you,, will be helpful to others as well
have a good day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide