04-04-2012 06:19 AM - edited 03-07-2019 05:57 AM
Wanted to discuss the option of port security on Layer 2 switches that will enable me to prevent outside device from connecting to an internal network. Based upon some documentation switchport port-security options are available on the existing 12.2 SG IOS however I'm looking for some othe users which have implemented this process.
04-04-2012 08:17 AM
Port security works well on static enviroments, if you have hot desks with laptop users it causes problems
this doc is a good explanation of how to setup port security
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.pdf
04-04-2012 10:21 AM
Thanks
04-04-2012 09:27 AM
Portsecurity feature helps to limit the numbers of MAC that can be associated with a switch port, it can't differentiate between outside or an inside mac address.
I don't think static mapping of MAC addresses to a port is a feasible option, so the next best bet is to use mac address sticky feature and limit the number of mac address on each port to a max of 2 if you use IP phones.Sticky option will help to learn the MACs of existing connected devices and the max option will help to err-disable the port if more than specified MACs are seen on the port.
As p.mcgowan said in his above post, it will soon become an adminstrative nightmare if you use it without proper planning.
04-04-2012 10:26 AM
thanks,
My overall concerns is that many of these option are for single mac address currently were not using IP phones therefore all mac address would be strictly device ie workstations, laptops and printers. In addition, I have several trunk ports created with small Cisco switch that allow software developers use multiple devices while just occupying a single data connection. I will continue ready this information provided but this a brief description of what were attempting to secure within our network.
Finally, 80% of our overally network the sticky solutions appears to be the best option however I'm concern about the other 20%.
04-04-2012 10:58 AM
You can configure trunk port security for the trunk ports.Below document provides good information about portsecurity, hope that will help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide