Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

Switch Security and MacBook Pro Notebook

R1bennett
Level 1
Level 1

‎04-06-2016 09:46 AM - edited ‎03-08-2019 05:15 AM

New computers, Apple MacBook Pro Notebooks and they do not come with a built-in Ethernet Port requiring a Thunderbolt dongle for the Ethernet port. Using the MacBook Pro Wi-FI mac and software to assign the mac to the Thunderbolt dongle you now have connection using MAC Apple Pro mac not the add on Dongles mac. The dongle can be moved to a different computer but the mac that assigned to the Network port will always be the mac on the MacBook Pro. Here is the problem when the MacBook Pro Notebooks is powered on and boots the Cisco switch sees the mac address of the Thunderbolt dongle, when the MacBook Pro Notebooks changes the mac on the Thunderbolt dongle the Cisco port security kicks in you now have a different mac address on the Switch port and by design Cisco Port security that set to a Maximum of 1 will shut down.

The absolutes you cannot write the MacBook Pro Notebooks WiFI mac permanently to the Thunderbolt dongle as it can then be moved or plugged into any other MacBook Pro Notebooks and mimic the other system, same as no port security.

Labels:
0 Helpful
3 Replies 3

Paul Chapman
Level 4
Level 4

‎04-06-2016 01:56 PM

Hi -

You have not stated that it is mandatory that the same MAC always connects to the same port on the switch, so there is no reason for you to use the "switchport port-security mac-address nnnn.nnnn.nnnn" or "switchport port-security mac-address sticky" commands.

You can enforce the single MAC limit on the port without those commands.  When one user disconnects, the port will go down and the associated MAC will be removed from the switch's CAM table (setting the MAC address count for the port to 0).  When the next user plugs in the switch will learn the MAC of his or her system.

PSC

0 Helpful

R1bennett
Level 1
Level 1
In response to Paul Chapman

‎04-07-2016 08:10 AM

Due too security policy, the switch port security is used to locked the Notebooks MAC to a Switch port as stated earlier the notebook does not have a built-in Ethernet port so a Thunderbolt Dongle is used. To lock a given Notebook to the Port the Note books Wifi Mac is software writted to the Dongle, that way you can’t just move the Dongle to another Notebook and take over the port. With port security set to max of 1 (Secuirty policy) the Switch will see the Dongle mac’s at power-on of the notebook the Switch will then see the Notebooks mac that is written to the Dongle which will shut down the port.


The issue is Port security and policy of only 1 mac address allowed, looking for a way to stop it from getting the dongles mac then the Notebooks mac a minute later. Delaying the action until the dongle mac is over written and the Switch only sees the mac that has been changed on the dongle.


I think the an answer to change the design; port security is not the answer, move from port security to 802.1X port authentication security, this is not a easy answer but may be a better solution.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to R1bennett

‎04-07-2016 08:49 AM

Hi -

I misunderstood the original question.  I did not realize that the thunderbolt adapter had a MAC of it's own.  If that's the case, then your only 2 options are to increase the MAC limit to 2, or go to 802.1x security.  Realistically the latter is significantly more secure.

PSC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card