03-07-2013 08:27 AM - edited 03-07-2019 12:07 PM
Hi
I want to apply security to a switch allowing to connect several machines in different ports of the same switch.
To do this, I issued the command
# switchport port-security
# switchport port-security maximum 3
# switchport port-security mac-address sticky
# switchport port-security mac-address sticky X.X.X
# switchport port-security mac-address sticky Y.Y.Y
# switchport port-security mac-address sticky Z.Z.Z
When I do this on the first interface, I have no problems. Doing in the second, I get a message saying that the MAC address is already used. What I want is that in the same room, computers (which are always the same) can switch places with each other.
Solved! Go to Solution.
03-07-2013 08:49 AM
Port security does not allow for MAC addresses to be used on several different ports. Preventing MAC addresses from being present on more then a single port is port security's most basic function. If you wish for the devices to be able to move ports you must either disable port security altogether or remove sticky MAC and set the aging to inactivity.
03-07-2013 10:36 AM
It is the use of the sticky command that is the real issue. Sticky=can't move.
03-07-2013 01:06 PM
In that case I would say the best option is to go with an 802.1x solution. However you would require a radius server to get that going and I do not know if the computers on the food carts are capable.
If you have a wireless system (don't know if hospitals like these currently) you could try placing some type of wireless bridge device on the carts or fitting the devices with wireless NICs. Then they roam around freely.
I understand this is kind of a pain in the neck, I used to do alot of work with the DOD and they faced similar chalenges in trying to secure there ports. They finaly started pushing 802.1x real hard because port security is just a bad tool for this kind of thing in our modern mobile world.
03-07-2013 08:49 AM
Port security does not allow for MAC addresses to be used on several different ports. Preventing MAC addresses from being present on more then a single port is port security's most basic function. If you wish for the devices to be able to move ports you must either disable port security altogether or remove sticky MAC and set the aging to inactivity.
03-07-2013 10:33 AM
Thanks for the reply
Anyway, I figured that would not be possible but I do not find useful.
If for a training room, we deliver 20 laptops and we want that only those computers (and not bringed by users) will be connected, the "switchport port-security aging" command does not solve my problem.
03-07-2013 10:36 AM
It is the use of the sticky command that is the real issue. Sticky=can't move.
03-07-2013 12:53 PM
I will explain my problem to see if you have another idea.
I have 14 machines to connect in a building (not computers but food carts) that travel through the different floors of a hospital.
About 3 of them must be plugged to some ports on the same floor (same switch). All of them (14) can be connected to any of those ports (on any switch, on any floor).
I don't want to leave ports in the hallways without security, because anyone can use to connect your own computer. do you see other solution?
Regards
03-07-2013 01:06 PM
In that case I would say the best option is to go with an 802.1x solution. However you would require a radius server to get that going and I do not know if the computers on the food carts are capable.
If you have a wireless system (don't know if hospitals like these currently) you could try placing some type of wireless bridge device on the carts or fitting the devices with wireless NICs. Then they roam around freely.
I understand this is kind of a pain in the neck, I used to do alot of work with the DOD and they faced similar chalenges in trying to secure there ports. They finaly started pushing 802.1x real hard because port security is just a bad tool for this kind of thing in our modern mobile world.
03-07-2013 01:29 PM
I appreciate your effort.
At the moment, wireless networks are not allowed for this type of equipment for the health care system here. I'll find another solution or I'll get used to see the ports without security and accessible to anyone.
thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide