cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1332
Views
0
Helpful
8
Replies

Port-Security and meeting rooms

Hello guys,

I'm facing an issue with Port-Security. I'm not sure if this is a normal operation or a exception condition. Please could you help me to configure it?

I configured Port-Security in my access switches. The configuration is ok and the operation is working fine. But, when an user move to a meeting room with his laptop and connect it, the switch do not grab a IP address. If a remove the port-security configuration this IP is immediately released.

I notice that an user with a mac-address already learned by the switch cannot use any other port, even if this port doesn´t have port-security enabled.

I would like to configure port-security on user port, with that nobody could use his port. But for meeting rooms everybody should use it, no port-security will be applied.

You can find my configuration below:

interface FastEthernet0/11

switchport mode access

switchport port-security maximum 1

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

spanning-tree portfast

Thank you in advance.

Regards, Tiago.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Yes, i think your best

Yes, i think your best solution for this isue is NAC(Network access control), you need configure 802.1x with certificate in your devices.

You coul check this solution

https://supportforums.cisco.com/document/115201/acs-53-certificate-based-network-access-using-ad

8 REPLIES 8
Collaborator

Hi,

Hi,

Why do you need "switchport port-security mac-address sticky" in an environment where users are mobile. "sticky" locks the mac address to the switch port. Use stick if the device will not move from that port often e.g. printer. Users with laptops will have issues in a "sticky" environment.

Thanks

John

**Please rate posts you find helpful**

Hello John, thank you for

Hello John, thank you for your reply.

Well, I'm doing that because we had some security issues on ports without any type of security. Visitors users was getting IP and connecting to corporate network. I would like to deny this kind of operation.

The only way I got was to apply port-security even on mobile users.

Enthusiast

TACACS or Radius will work

TACACS or Radius will work well. 802.1x using Microsoft NPS or Cisco ISE.

Beginner

Yes, i think your best

Yes, i think your best solution for this isue is NAC(Network access control), you need configure 802.1x with certificate in your devices.

You coul check this solution

https://supportforums.cisco.com/document/115201/acs-53-certificate-based-network-access-using-ad

Beginner

And you could check

And you could check differents between ACS and ISE

https://communities.cisco.com/docs/DOC-63901

Enthusiast

As John said, sticky mac

As John said, sticky mac address feature should be used restrictedly for non-mobile devices. You can shutdown all unused ports to prevent visitors from connecting to your internal network. Also, conference rooms should be isolated on a separate VLAN "Guest VLAN" wired and wirelessly. Otherwise, you can go with configuring Aging Time on the access port. 

Please see below.

5.2.2  Benefits of the Port Security Best Practices

For stable connections (for example, ports that always support the same devices, as in an office environment: devices like an IP phone, a desktop computer, or the same laptop computer), configureport security with sticky MAC addresses. Port security with sticky MAC addresses allows the switch to learn addresses dynamically and then retain the dynamically learned MAC addresses during a link-down condition.

For flexible connections (for example, connections to conference rooms or connections that support guests), configure port security with activity-based aging.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/practices/recommendations.html#wp1198027

Please rate if helpful,

Thank you. 

Highlighted

Hi Tiago,

Hi Tiago,

This is the expected behaviour,You should be able observe this with show "show mac address-table"  and "show port address".When you configure switch port with Sticky MAC Addresses, switch Enters MAC address it learns in to the running config as below as you may have already noted.

switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.b0a7.b051

Now lets say this was your port 1 and you moved your device with the MAC address "000f.b0a7.b051" to port 2 and that should come up ok. When you disconnect a device from a port the  default behaviour is to age out the MAC address and then Mac address table will dynamically learn the MAC address "000f.b0a7.b051"  on port 2 and that should work fine.

You should be able to observe above with "show mac address-table" as DYNAMIC associated to port2 (when you dont have MAC security on port2)

However the tricky part is if you try to plug something else other than the device with the sticky MAC address back to the port1. Lets say you plugged in a another PC to port 1.This time the port comes up and it also tries to enter the MAC "000f.b0a7.b051" into the cam table as this is coded in the running config as you noted before.Now It goes in to violation mode and switch will stop the sticky mac address communicating doesn't matter where it is plugged in the switch.

Above is valid to any sticky learnt MAC addresses.

Basically,if you have sticky mac it will work on other ports than the originally learnt port as long as the original port is not up.Hope that make sense.

In your case,may be port authentication type of solution would work as everyone else have mentioned.

I'll throw in few other ideas as well,

Perhaps you can leave a locked laptop with port security in the meeting room for your users.May be get the users to go on the wireless. also you could check access-lists as a solution

 

Regards,

Prabath

**Please rate all the useful posts appropriately***

***Please rate all the useful posts***
-Prabath

Hey guys, I got it. I

Hey guys, I got it. I understood that I was using port-security for something different from the official purpose.

Thank you very much for your help.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards