Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
0
Helpful
8
Replies

Port-Security and meeting rooms

Go to solution
tiago.centurion
Level 1
Level 1

‎08-31-2016 07:51 AM - edited ‎03-08-2019 07:14 AM

Hello guys,

I'm facing an issue with Port-Security. I'm not sure if this is a normal operation or a exception condition. Please could you help me to configure it?

I configured Port-Security in my access switches. The configuration is ok and the operation is working fine. But, when an user move to a meeting room with his laptop and connect it, the switch do not grab a IP address. If a remove the port-security configuration this IP is immediately released.

I notice that an user with a mac-address already learned by the switch cannot use any other port, even if this port doesn´t have port-security enabled.

I would like to configure port-security on user port, with that nobody could use his port. But for meeting rooms everybody should use it, no port-security will be applied.

You can find my configuration below:

interface FastEthernet0/11

switchport mode access

switchport port-security maximum 1

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

spanning-tree portfast

Thank you in advance.

Regards, Tiago.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmuinoorallo
Level 1
Level 1
In response to Steven Williams

‎09-02-2016 07:56 PM

Yes, i think your best solution for this isue is NAC(Network access control), you need configure 802.1x with certificate in your devices.

You coul check this solution

https://supportforums.cisco.com/document/115201/acs-53-certificate-based-network-access-using-ad

View solution in original post

0 Helpful
8 Replies 8

Go to solution
johnd2310
Level 8
Level 8

‎08-31-2016 04:25 PM

Hi,

Why do you need "switchport port-security mac-address sticky" in an environment where users are mobile. "sticky" locks the mac address to the switch port. Use stick if the device will not move from that port often e.g. printer. Users with laptops will have issues in a "sticky" environment.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
tiago.centurion
Level 1
Level 1
In response to johnd2310

‎09-01-2016 04:14 AM

Hello John, thank you for your reply.

Well, I'm doing that because we had some security issues on ports without any type of security. Visitors users was getting IP and connecting to corporate network. I would like to deny this kind of operation.

The only way I got was to apply port-security even on mobile users.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to tiago.centurion

‎09-01-2016 07:00 AM

TACACS or Radius will work well. 802.1x using Microsoft NPS or Cisco ISE.

0 Helpful

Go to solution
dmuinoorallo
Level 1
Level 1
In response to Steven Williams

‎09-02-2016 07:56 PM

Yes, i think your best solution for this isue is NAC(Network access control), you need configure 802.1x with certificate in your devices.

You coul check this solution

https://supportforums.cisco.com/document/115201/acs-53-certificate-based-network-access-using-ad

0 Helpful

Go to solution
dmuinoorallo
Level 1
Level 1
In response to dmuinoorallo

‎09-02-2016 07:58 PM

And you could check differents between ACS and ISE

https://communities.cisco.com/docs/DOC-63901

0 Helpful

Go to solution
Austin Sabio
Level 4
Level 4
In response to tiago.centurion

‎09-02-2016 10:37 AM

As John said, sticky mac address feature should be used restrictedly for non-mobile devices. You can shutdown all unused ports to prevent visitors from connecting to your internal network. Also, conference rooms should be isolated on a separate VLAN "Guest VLAN" wired and wirelessly. Otherwise, you can go with configuring Aging Time on the access port. 

Please see below.

5.2.2  Benefits of the Port Security Best Practices

For stable connections (for example, ports that always support the same devices, as in an office environment: devices like an IP phone, a desktop computer, or the same laptop computer), configureport security with sticky MAC addresses. Port security with sticky MAC addresses allows the switch to learn addresses dynamically and then retain the dynamically learned MAC addresses during a link-down condition.

For flexible connections (for example, connections to conference rooms or connections that support guests), configure port security with activity-based aging.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/best/practices/recommendations.html#wp1198027

Please rate if helpful,

Thank you. 

0 Helpful

Go to solution
Prabath Godevithanage
Level 4
Level 4

‎09-01-2016 05:52 PM

Hi Tiago,

This is the expected behaviour,You should be able observe this with show "show mac address-table"  and "show port address".When you configure switch port with Sticky MAC Addresses, switch Enters MAC address it learns in to the running config as below as you may have already noted.

switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.b0a7.b051

Now lets say this was your port 1 and you moved your device with the MAC address "000f.b0a7.b051" to port 2 and that should come up ok. When you disconnect a device from a port the  default behaviour is to age out the MAC address and then Mac address table will dynamically learn the MAC address "000f.b0a7.b051"  on port 2 and that should work fine.

You should be able to observe above with "show mac address-table" as DYNAMIC associated to port2 (when you dont have MAC security on port2)

However the tricky part is if you try to plug something else other than the device with the sticky MAC address back to the port1. Lets say you plugged in a another PC to port 1.This time the port comes up and it also tries to enter the MAC "000f.b0a7.b051" into the cam table as this is coded in the running config as you noted before.Now It goes in to violation mode and switch will stop the sticky mac address communicating doesn't matter where it is plugged in the switch.

Above is valid to any sticky learnt MAC addresses.

Basically,if you have sticky mac it will work on other ports than the originally learnt port as long as the original port is not up.Hope that make sense.

In your case,may be port authentication type of solution would work as everyone else have mentioned.

I'll throw in few other ideas as well,

Perhaps you can leave a locked laptop with port security in the meeting room for your users.May be get the users to go on the wireless. also you could check access-lists as a solution

 

Regards,

Prabath

**Please rate all the useful posts appropriately***

***Please rate all the useful posts***
-Prabath
0 Helpful

Go to solution
tiago.centurion
Level 1
Level 1

‎09-08-2016 09:51 AM

Hey guys, I got it. I understood that I was using port-security for something different from the official purpose.

Thank you very much for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card