Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3096
Views
0
Helpful
20
Replies

LAN Port security

Go to solution
clark white
Level 2
Level 2

‎01-31-2015 11:00 PM - edited ‎03-07-2019 10:27 PM

Hello,

I have enabled port security on switches with below configuration. I connected guest laptop in switch A and completed my job and kept my laptop in IT cupboard. After 10 days I took the guest laptop and try to connect on switch B  in same vlan, the laptop is restricted to access by port violation.

I tried searching by the command sh mac address-table address XXXX.44eb.XXXX on switch B but I didn't found the mac address but luckily I remember that I have connected on switch A on port 20 so I removed the mac from the running configuration and I was able to get access on switch B.

so this is very difficult to search a mac address when I have a 100 switches if I would have not remember than it was a big mess for me,  Is it the below correct way of configuring the port -security on the switches when I have a IP phones in the network.

 

interface GigabitEthernet2/0/14
 switchport access vlan 31
 switchport mode access
 switchport voice vlan 30
 switchport port-security maximum 2

switchport port-security mac-address sticky
 switchport port-security violation restrict
 switchport port-security
 storm-control broadcast level 20.00
 storm-control multicast level 20.00
 spanning-tree portfast
 spanning-tree bpduguard enable

 

switch B# sh mac address-table address XXXX.44eb.XXXX
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

Labels:
0 Helpful
20 Replies 20

Go to solution
clark white
Level 2
Level 2
In response to Jon Marshall

‎02-03-2015 11:00 AM

Dear Jon,

OK understood,

Here are scenarios thoughts please correct me

when 802.1X configured an outsider pc or laptop connected to network will not get access becz his domain will be different and the request will not hit to  authenticate on the ACS--->domain controller it will authenticate locally in his pc and he will not be given an ip address (Access)

so i think no need to authenticate  MAC Address , when username/password  authentication request will hit to AD,, user will be authenticated and he will be given access.

thanks

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to clark white

‎02-03-2015 11:25 AM

Okay, i just reread your post and i think i see what you mean.

You mean because the user is not in the domain and the ACS server uses AD for the user credentials then it won't work.

Basically yes but isn't that what you want ie. if the authentication for the user fails then there is no access to the network.

There is no local authentication done between the user and the switch ie. if the authentication using the ACS server fails that's it.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to clark white

‎02-03-2015 11:26 AM

when 802.1X configured an outsider pc or laptop connected to network will not get access becz his domain will be different and the request will not hit to  authenticate on the ACS--->domain controller it will authenticate locally in his pc and he will not be given an ip address (Access)

Are you talking about user authentication here ?

If so it has nothing to do with the domain being different.

The switch authenticates the user. The users presents their credentials (whatever they are) and the switch relays this to the ACS server. The ACS server may have a local database but more likely it uses AD if that is what you have.

If the authentication is successful the port stays up and then the machines can get an IP address etc.

If it isn't the port is disabled and the machine has no access to the network.

This would happen even if the user configured their own IP address.

Jon

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to Jon Marshall

‎02-03-2015 11:40 AM

Dear Jon

+5 for you again.

This would happen even if the user configured their own IP address.

The above means as below

A pc with static ip address configured if connected to the port  if it authenticates to the ACS --->AD it will be given access and it fails authentication then port will disabled.

thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to clark white

‎02-03-2015 12:03 PM

A pc with static ip address configured if connected to the port  if it authenticates to the ACS --->AD it will be given access and it fails authentication then port will disabled.

Exactly.

The authentication is about whether the port is enabled or not, everything else happens after that has been decided.

Which I think is what you are looking for.

Jon

0 Helpful

Go to solution
clark white
Level 2
Level 2
In response to Jon Marshall

‎02-03-2015 12:13 PM

Thanks dear 

Good chain of replies from you,, will be helpful to others as well

 

have a good day

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card