cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
370
Views
5
Helpful
10
Replies
adamgibs7
Frequent Contributor

Port security

Dears

Apart from switchport port security is there any way that PC's should not move from one port to another, becz I am using dot1x on the port and switchport port security is not supported with dot1x as per cisco recommends that we should not use both features on one port.

 

Thanks

10 REPLIES 10
Kevin SAS
Beginner

Hi,

However, it should work, have you already tried it ?

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.pdf

page 16

Don't know any other function like port-security

adamgibs7
Frequent Contributor

Dear,

In IOS version 15.X the port security and dot1.x commands doesn't supports together on the port.

 

thanks

adamgibs7
Frequent Contributor

anybody knows how I can achieve the port security sticky feature of switch if I m  using dot1x on the switch.

 

thanks

Depending on the IOS firmware version you are running and if you are using the IBNS 2.0 syntax, then you could use the access-session mac-move deny global command. More info here

 

Failing that you could limit the number of simultaneous user sessions, link

adamgibs7
Frequent Contributor

Thanks RJI,

U r the expert,

the link you provided is very helpful I have rated 5 , but my switches are 3750E with maximum ios which can be load is 12.2 (58),

From the ISE I can block the user maximum session but that will not stop the movement of the PC from one switch to another.

Hello,

 

I think your 3750E switches support c3750e-ipbasek9-mz.150-2.SE11.bin. Have you tried installing that version ?

adamgibs7
Frequent Contributor

Dear

 

I m on the same IOS as mentioned.

 

thanks

Georg Pauwen
VIP Expert

Hello,

 

I think in the older 12.2 versions (link to the command reference below), 'no authentication mac-move permit' is the f=default. According to the command reference, "if MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs"

 

So, you wouldn't even need port security...

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/commmand/reference/3750cr/cli1.html

adamgibs7
Frequent Contributor

Dears

Thanks for the reply, It didn't worked for me on 3750 switches.

adamgibs7
Frequent Contributor

Dear Experts

 

so I shld conclude Cisco  don't have any solution for dot1x and port security to work together ???

 

thanks