Hello Richard,

Port-security is having some default age interval..It means if user attach a laptop it may possible that pc mac will be age out

and user can access via. laptop.

You need something like mac access group to restrict it to user PC only similar to one below on switch. I am not sure

is it supported on your router or not

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Regards

Mahesh

The aging time period can be adjusted thought right?

Yes,

It is indeed adjustable..but whtever time you set , once it expires the mac from interface will be age out.

anyway you can decide what is best suit to your network according to requirement

Regards

Mahesh

well as long as it's effective at blocking rogue laptops then I could just set the aging time to 5 days or something. That seems pretty sloppy to me though,

Does the command I suggested above make more sense? I know that there should be 50 PC's physically connected to the switch being compromised so on the router port that runs to that switch I could issue " switchport port-security maximum 50 "?

The switch is unmanaged.

Have you consider to use MAB?

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab_ps6441_TSD_Products_Configuration_Guide_Chapter.html

The problems for MAB are:

1. you need a RADIUS server. The cheapest way to get a RADIUS server is free radius server, IAS (if you have a Microsoft server), or a Cisco AP.

2. Administration overhead

3. potential security loophole. The user name and password for the MAC address is the MAC address. Once a hacker knows that MAB is used, he/she can find a valid MAC address on the network. Then, he/she can obtain a valid user ID and password on the RADIUS server. Need something like NAS restriction to tighten up security.

Not sure if it worths your time.

The cmd you mention: switchport port-security maximum 50 - will allow 50 MACs on a single switch port (so if you got a hub into one port and plugged 50 things into it they would all work, the 51st would be denied) this makes do discrimination between a rogue or non-rogue laptop, simply 50 MACs. If you have a single switch with 50 potential users coming and going and connecting to any switch port at any one time then this probably isn't what you are looking for.

If the ports they plug into are always the same then you can use the: switchport port-security mac-address sticky cmd. It will remember each MAC and disable the port if any other MAC is learned.

If they plug into different ports each time they come along then that won't work for you. You can manually enter each MAC for the known non-rogue laptops and then make them sticky so they are remembered but you'll need to do this on each switch port and so make your config a mess.

Dot1x would most likely be the better way to go as anyone that doesn't authenticate in the right way can get put into a restricted VLAN and so not be able to do anything, but requires more setup and admin overhead and may not be available to you.

They do not change ports on the switch. The machines are setup at desks or sales counters and never move. From the machine each host plugs into a switch in a closet that is locked. So based on that I can either use the command that I suggested before, or use the sticky mac version of the command?

Thanks for all the replies so far, very helpful.

use the:

switchport port-security mac-address sticky

It will learn the MAC that is currently on the port and put it on the end of the line so you can see it what you do a show run, ie:

sh run

int fa0/1

blah blah

switchport port-security mac-address sticky aabb.ccdd.eeff

Do that on all ports and then that will be static and anyone plugging anything else in will get binned.

You might want to also consider using the recovery commands to return the port to service once that rogue laptop user gets bored not being able to work and walks away - it will reactivate the port after a set period of time so the real MAC can operate again.

Only thing to remember is when you swap hardware you need to remove the sticky command and put it back in again.

recovery commands such as:

errdisable recovery cause psecure-violation
errdisable recovery interval 60

Rob,

     The problem there is that my switch is unmanaged and plugs into a FE port on my router. That's why I was exploring options for the router port that handles that switch.

Ah bugger, I missed that in the earlier text, it leaves my updates a little redundant then. The command you suggested will allow 50 MACs no matter what they are to be learned on the port, so I see why you wanted the age timer to be extended so plug/unplug would result in a drop of the new MAC. I don't know of another way other than what has already been suggested to achieve what you wanted. Sorry for the unhelpful help there.

I suppose using this as weight for getting a managed switch on to the network as there is a 'security' issue is not really of any worth either.

I'm having an issue using the port-security command, it's not present. When I get into the f0/0/0 interface, issue switchport mode access, they try to enable port security the command is unrecognized. Is there something else I need beforehand? This is on an 1841 router, on a 4 port hwic.

Thanks.

I'm already in the process of upgrading them to a managed switch :)