Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

Port security on single switch

Andrew White
Level 2
Level 2

‎04-17-2013 01:45 PM - edited ‎03-07-2019 12:53 PM

Hello,

I'm locking down a remote switch (3560 48 port) in a small office.  I have enabled SSH, DHCP snooping, BPDU guard and I will do DAI too, but I want to lock the ports down further to allow only a few mac addresses per port to stop stop someone filling up the CAM table with false mac addresses should they find the right illegal tools.  Problem with this site is has a few roaming laptop users that use any available port and I noticed 2 of the ports there are hubs

What options do I have?  Would it be a good idea to lock each port down to 1 mac address apart from the hub ports and have an aging timeout of say 5 mins, so if a user with a laptop disconnects then another user has to wait 5 mins or it err-disables?  Plus users leaving for the day it would mean the port is ok the next day for a new mac?

As for the hub, I could do the same but set the mac to a max of 5 address to age out after 5 mins in inactivity?

I'm after any ideas really guys.

Thanks

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎04-17-2013 01:52 PM

Hi,

if there is only a small number of devices then you could disable dynamic mac-learning and put the corresponding static mac entries.So you wouldn't need port-security anymore.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Gregory Snipes
Level 4
Level 4

‎04-17-2013 03:04 PM

You could use "aging type inactivity" with your port security config. Then the MAC address will clear out as soon as the user disconnects the laptop.  This would not work with a hub though, as the hub would remain connected to the switch and as such the addresses would not clear unless you unplugged the hub from the switch.

0 Helpful

Andrew White
Level 2
Level 2
In response to Gregory Snipes

‎04-17-2013 10:56 PM

1.) The inactivity option sounds very good, but why would it not work with the hub as no users would be connected at the end of the day?  Could I just put a maximum mac limit on the port so at least it controls the amount of mac addresses allowed?

2.) Also a I will be using DAI on the switch how will this handle the hub port as multiple mac addresses will be seen from one port? Maybe I will have to trust it.

3.) I have also just noticed as they have wifi the mac address table show 2 mac address per port as the WIFI is on the same subnet, set the port to a max of 2 mac addresses and also set the inactivity option?

Thanks

0 Helpful
Customers Also Viewed These Support Documents