cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
0
Helpful
5
Replies

Port Security on Layer 2 Switches

lewwalker
Level 1
Level 1

Wanted to discuss the option of port security on Layer 2 switches that will enable me to prevent outside device from connecting to an internal network.  Based upon some documentation switchport port-security options are available on the existing 12.2 SG IOS however I'm looking for some othe users which have implemented this process.

5 Replies 5

p.mcgowan
Level 3
Level 3

Port security works well on static enviroments, if you have hot desks with laptop users it causes problems

this doc is a good explanation of how to setup port security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.pdf

Thanks

siddhartham
Level 4
Level 4

Portsecurity feature helps to limit the numbers of MAC that can be  associated with a switch port, it can't differentiate between outside or  an inside mac address.

I don't think static mapping of MAC addresses to a  port is a feasible option, so the next best bet is to use mac address  sticky feature and limit the number of mac address on each port to a max  of 2 if you use IP phones.Sticky option will help to learn the MACs of  existing connected devices and the max option will help to err-disable  the port if more than specified MACs are seen on the port.

As  p.mcgowan said in his above post, it will soon become an adminstrative nightmare if you use it without proper planning.

Siddhartha

thanks,

My overall concerns is that many of these option are for single mac address currently were not using IP phones therefore all mac address would be strictly device ie workstations, laptops and printers. In addition, I have several trunk ports created with small Cisco switch that allow software developers use multiple devices while just occupying a single data connection. I will continue ready this information provided but this a brief description of what were attempting to secure within our network.

Finally, 80% of our overally network the sticky solutions appears to be the best option however I'm concern about the other 20%.

You can configure trunk port security for the trunk ports.Below document provides good information about portsecurity, hope that will help.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.pdf

Siddhartha
Review Cisco Networking for a $25 gift card