Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > port security on cisco cat 4000 switch

Reply
Thread Tools

port security on cisco cat 4000 switch

 
 
Butre
Guest
Posts: n/a
 
      10-28-2003
i have a cat 4000 switch (6.3(3))

i would like to apply port security on 10 ports, these ports are all
patched thru to our boardroom and i only want to allow 10 mac
addresses to connect to our LAN using these 10 ports, this is to
secure our internal LAN so that guest do not accidently connect to one
of our LAN ports (i have an external network setup for them on a
different switch) so they are forced to use that network)

i first wanted to test this by securing 2 ports and allowing 2 mac
addresses

this is what i did

--------------------------
Mon Aug 19 2002, 23:44:52
switch-4006> (enable) set port security 3/13 enable
Port 3/13 security enabled.
Trunking disabled for Port 3/13 due to Security Mode.
switch-4006> (enable) set port security 3/13 maximum 2
Port 3/13 security maximum address 2.
switch-4006> (enable) set port security 3/13 violation restrict
Port 3/13 security violation mode restrict.
switch-4006> (enable) set port security 3/13 00-20-e0-8a-3b-74
..
Mac address 00-20-e0-8a-3b-74 set for port 3/13.
switch-4006> (enable) set port security 3/13 00-04-76-5e-c2-ab
..
Mac address 00-04-76-5e-c2-ab set for port 3/13.
switch-4006> (enable) show port security 3/13
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap
IfIndex
----- -------- --------- ------------- -------- -------- --------
-------
3/13 enabled restrict 0 0 2 disabled
167

Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr
Shutdown/Time-Left
----- -------- ----------------- -------- -----------------
------------------
3/13 2 00-20-e0-8a-3b-74 - - no
-
00-04-76-5e-c2-ab
switch-4006> (enable) set port security 3/16 enable
Port 3/16 security enabled.
Trunking disabled for Port 3/16 due to Security Mode.
switch-4006> (enable) set port security 3/16 00-04-76-5e-c2-ab
Mac address 00-04-76-5e-c2-ab already configured for port 3/13.
switch-4006> (enable) set port security 3/16 00-20-e0-8a-3b-74
Mac address 00-20-e0-8a-3b-74 already configured for port 3/13.
switch-4006> (enable)

What i would like to do is to secure 10 ports that will all allow the
same 10 mac addresses.

why is it not letting me do this? who could help me?

thanks
butre
 
Reply With Quote
 
 
 
 
Ivan Ostres
Guest
Posts: n/a
 
      10-28-2003
"Butre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> i have a cat 4000 switch (6.3(3))
> What i would like to do is to secure 10 ports that will all allow the
> same 10 mac addresses.
>
> why is it not letting me do this? who could help me?
>


dot1x

Ivan


 
Reply With Quote
 
 
 
 
Terry Baranski
Guest
Posts: n/a
 
      10-29-2003
On 28 Oct 2003 03:58:54 -0800, http://www.velocityreviews.com/forums/(E-Mail Removed) (Butre) wrote:

>i have a cat 4000 switch (6.3(3))
>
>i would like to apply port security on 10 ports, these ports are all
>patched thru to our boardroom and i only want to allow 10 mac
>addresses to connect to our LAN using these 10 ports, this is to
>secure our internal LAN so that guest do not accidently connect to one
>of our LAN ports (i have an external network setup for them on a
>different switch) so they are forced to use that network)
> ...
>switch-4006> (enable) set port security 3/16 enable
>Port 3/16 security enabled.
>Trunking disabled for Port 3/16 due to Security Mode.
>switch-4006> (enable) set port security 3/16 00-04-76-5e-c2-ab
>Mac address 00-04-76-5e-c2-ab already configured for port 3/13.
>switch-4006> (enable) set port security 3/16 00-20-e0-8a-3b-74
>Mac address 00-20-e0-8a-3b-74 already configured for port 3/13.
>switch-4006> (enable)
>
>What i would like to do is to secure 10 ports that will all allow the
>same 10 mac addresses.
>
>why is it not letting me do this? who could help me?


When you add a secure MAC address to a port, the switch adds a static
entry to the CAM table mapping the MAC address to the port. The
reason you can't add the same secure MAC address to multiple ports is
because you can't have the same MAC address mapped to multiple ports
in the CAM table -- the switch can't know which port to forward such
packets out of.

You can use 802.1x as suggested by someone else, or you can use VMPS.
The latter may be easier. Cat4000's support VMPS Server functionality
as of 7.2.

-Terry
 
Reply With Quote
 
Ivan Ostres
Guest
Posts: n/a
 
      10-29-2003
"Terry Baranski" <(E-Mail Removed)0VE> wrote in message
news:(E-Mail Removed)...
> On 28 Oct 2003 03:58:54 -0800, (E-Mail Removed) (Butre) wrote:
>
> You can use 802.1x as suggested by someone else, or you can use VMPS.
> The latter may be easier. Cat4000's support VMPS Server functionality
> as of 7.2.
>


Yup, It might be easier, but dot1x will provide additional functionality.

Ivan


 
Reply With Quote
 
Butre
Guest
Posts: n/a
 
      11-01-2003
"Ivan Ostres" <(E-Mail Removed)> wrote in message news:<bnnuf4$13ca8q$(E-Mail Removed)-berlin.de>...
> "Terry Baranski" <(E-Mail Removed)0VE> wrote in message
> news:(E-Mail Removed)...
> > On 28 Oct 2003 03:58:54 -0800, (E-Mail Removed) (Butre) wrote:
> >
> > You can use 802.1x as suggested by someone else, or you can use VMPS.
> > The latter may be easier. Cat4000's support VMPS Server functionality
> > as of 7.2.
> >

>
> Yup, It might be easier, but dot1x will provide additional functionality.
>
> Ivan


Thanks for the replies, it has been very helpfull and educational

I have been advised by the company that installed the network 2 years
ago that they would not use VMPS, they claim VMPS was introducted by
Cisco as other network vendors offered this product so it was more a
case of cisco had to offer this functionality but please don't use it.

I think i will look into 802.1x.

Thanks
Butre
 
Reply With Quote
 
Terry Baranski
Guest
Posts: n/a
 
      11-02-2003
On 31 Oct 2003 23:38:18 -0800, (E-Mail Removed) (Butre) wrote:

>Thanks for the replies, it has been very helpfull and educational
>
>I have been advised by the company that installed the network 2 years
>ago that they would not use VMPS, they claim VMPS was introducted by
>Cisco as other network vendors offered this product so it was more a
>case of cisco had to offer this functionality but please don't use it.


I've had a lot of success with it. But YMMV.

-Terry
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cat 4000 Crazy Port Statistics. hmadra Cisco 2 06-21-2006 03:21 AM
Cat 4000/4500/5000/6000: router or switch? Walter Roberson Cisco 7 10-23-2004 09:43 PM
VLAN Trunking Cisco Cat 5500 switch (multiple vlans per port) help please BG Cisco 4 09-07-2004 01:39 AM
Port security on a Catalyst 4000 - fails to shut down port Jon Whitear Cisco 2 11-04-2003 11:01 PM



Advertisments