11-05-2008 06:55 AM - edited 03-06-2019 02:19 AM
Hi guys and girls,
I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .
My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'
interface FastEthernet1/0/1
switchport access vlan 2
switchport voice vlan 10
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
and after:
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0003.ff53.553c
switchport port-security mac-address sticky 001e.c952.553c
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
The switchport port-security mac-address sticky addresses were obtained automaticly
a show port-security interface fa1/0/1 looks like this:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0001.e324.6f48:10
Security Violation Count : 0
and my show version looks like this:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1
Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.
This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!
And now for the million doller question:
How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming
from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!
Please help,
Chris
11-06-2008 08:34 AM
Reply to my own posting here!
What I am trying to do will not work.
Maybe this will help somebody else who would like to set up port security with a voice VLAN. The ip phone mac is picked up as 'SecureDynamic' and cannot be converted to a 'static' record. This means that as soon as you unplug the ip phone, this record is removed from the switch and an intruder can break into your network by plugging in a notebook.. The only way to protect your ports with ip phones is to use access-lists that must be manually edited, thus creating loads of work when you have stacks with 192 FE ports like us. This is not a moan, but I would just like to put this down as I see it and of course thank all of the advice that I got. I have also learned alot during these 2 days and will check the release notes of later IOS versions to see if an update can help. If so I will be updating over christmas (we have a 24/7 network) if I get the offline time. If anybody has another idea, please let me know and I will get the virtual beers in.
regards, Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: