port security on cisco cat 4000 switch

Discussion in 'Cisco' started by Butre, Oct 28, 2003.

  1. Butre

    Butre Guest

    i have a cat 4000 switch (6.3(3))

    i would like to apply port security on 10 ports, these ports are all
    patched thru to our boardroom and i only want to allow 10 mac
    addresses to connect to our LAN using these 10 ports, this is to
    secure our internal LAN so that guest do not accidently connect to one
    of our LAN ports (i have an external network setup for them on a
    different switch) so they are forced to use that network)

    i first wanted to test this by securing 2 ports and allowing 2 mac
    addresses

    this is what i did

    --------------------------
    Mon Aug 19 2002, 23:44:52
    switch-4006> (enable) set port security 3/13 enable
    Port 3/13 security enabled.
    Trunking disabled for Port 3/13 due to Security Mode.
    switch-4006> (enable) set port security 3/13 maximum 2
    Port 3/13 security maximum address 2.
    switch-4006> (enable) set port security 3/13 violation restrict
    Port 3/13 security violation mode restrict.
    switch-4006> (enable) set port security 3/13 00-20-e0-8a-3b-74
    ..
    Mac address 00-20-e0-8a-3b-74 set for port 3/13.
    switch-4006> (enable) set port security 3/13 00-04-76-5e-c2-ab
    ..
    Mac address 00-04-76-5e-c2-ab set for port 3/13.
    switch-4006> (enable) show port security 3/13
    Port Security Violation Shutdown-Time Age-Time Max-Addr Trap
    IfIndex
    ----- -------- --------- ------------- -------- -------- --------
    -------
    3/13 enabled restrict 0 0 2 disabled
    167

    Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr
    Shutdown/Time-Left
    ----- -------- ----------------- -------- -----------------
    ------------------
    3/13 2 00-20-e0-8a-3b-74 - - no
    -
    00-04-76-5e-c2-ab
    switch-4006> (enable) set port security 3/16 enable
    Port 3/16 security enabled.
    Trunking disabled for Port 3/16 due to Security Mode.
    switch-4006> (enable) set port security 3/16 00-04-76-5e-c2-ab
    Mac address 00-04-76-5e-c2-ab already configured for port 3/13.
    switch-4006> (enable) set port security 3/16 00-20-e0-8a-3b-74
    Mac address 00-20-e0-8a-3b-74 already configured for port 3/13.
    switch-4006> (enable)

    What i would like to do is to secure 10 ports that will all allow the
    same 10 mac addresses.

    why is it not letting me do this? who could help me?

    thanks
    butre
     
    Butre, Oct 28, 2003
    #1
    1. Advertising

  2. Butre

    Ivan Ostres Guest

    "Butre" <> wrote in message
    news:...
    > i have a cat 4000 switch (6.3(3))
    > What i would like to do is to secure 10 ports that will all allow the
    > same 10 mac addresses.
    >
    > why is it not letting me do this? who could help me?
    >


    dot1x

    Ivan
     
    Ivan Ostres, Oct 28, 2003
    #2
    1. Advertising

  3. On 28 Oct 2003 03:58:54 -0800, (Butre) wrote:

    >i have a cat 4000 switch (6.3(3))
    >
    >i would like to apply port security on 10 ports, these ports are all
    >patched thru to our boardroom and i only want to allow 10 mac
    >addresses to connect to our LAN using these 10 ports, this is to
    >secure our internal LAN so that guest do not accidently connect to one
    >of our LAN ports (i have an external network setup for them on a
    >different switch) so they are forced to use that network)
    > ...
    >switch-4006> (enable) set port security 3/16 enable
    >Port 3/16 security enabled.
    >Trunking disabled for Port 3/16 due to Security Mode.
    >switch-4006> (enable) set port security 3/16 00-04-76-5e-c2-ab
    >Mac address 00-04-76-5e-c2-ab already configured for port 3/13.
    >switch-4006> (enable) set port security 3/16 00-20-e0-8a-3b-74
    >Mac address 00-20-e0-8a-3b-74 already configured for port 3/13.
    >switch-4006> (enable)
    >
    >What i would like to do is to secure 10 ports that will all allow the
    >same 10 mac addresses.
    >
    >why is it not letting me do this? who could help me?


    When you add a secure MAC address to a port, the switch adds a static
    entry to the CAM table mapping the MAC address to the port. The
    reason you can't add the same secure MAC address to multiple ports is
    because you can't have the same MAC address mapped to multiple ports
    in the CAM table -- the switch can't know which port to forward such
    packets out of.

    You can use 802.1x as suggested by someone else, or you can use VMPS.
    The latter may be easier. Cat4000's support VMPS Server functionality
    as of 7.2.

    -Terry
     
    Terry Baranski, Oct 29, 2003
    #3
  4. Butre

    Ivan Ostres Guest

    "Terry Baranski" <0VE> wrote in message
    news:...
    > On 28 Oct 2003 03:58:54 -0800, (Butre) wrote:
    >
    > You can use 802.1x as suggested by someone else, or you can use VMPS.
    > The latter may be easier. Cat4000's support VMPS Server functionality
    > as of 7.2.
    >


    Yup, It might be easier, but dot1x will provide additional functionality.

    Ivan
     
    Ivan Ostres, Oct 29, 2003
    #4
  5. Butre

    Butre Guest

    "Ivan Ostres" <> wrote in message news:<bnnuf4$13ca8q$-berlin.de>...
    > "Terry Baranski" <0VE> wrote in message
    > news:...
    > > On 28 Oct 2003 03:58:54 -0800, (Butre) wrote:
    > >
    > > You can use 802.1x as suggested by someone else, or you can use VMPS.
    > > The latter may be easier. Cat4000's support VMPS Server functionality
    > > as of 7.2.
    > >

    >
    > Yup, It might be easier, but dot1x will provide additional functionality.
    >
    > Ivan


    Thanks for the replies, it has been very helpfull and educational

    I have been advised by the company that installed the network 2 years
    ago that they would not use VMPS, they claim VMPS was introducted by
    Cisco as other network vendors offered this product so it was more a
    case of cisco had to offer this functionality but please don't use it.

    I think i will look into 802.1x.

    Thanks
    Butre
     
    Butre, Nov 1, 2003
    #5
  6. On 31 Oct 2003 23:38:18 -0800, (Butre) wrote:

    >Thanks for the replies, it has been very helpfull and educational
    >
    >I have been advised by the company that installed the network 2 years
    >ago that they would not use VMPS, they claim VMPS was introducted by
    >Cisco as other network vendors offered this product so it was more a
    >case of cisco had to offer this functionality but please don't use it.


    I've had a lot of success with it. But YMMV.

    -Terry
     
    Terry Baranski, Nov 2, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jon Whitear
    Replies:
    2
    Views:
    2,279
    Jon Whitear
    Nov 4, 2003
  2. BG
    Replies:
    4
    Views:
    12,447
  3. Walter Roberson

    Cat 4000/4500/5000/6000: router or switch?

    Walter Roberson, Oct 22, 2004, in forum: Cisco
    Replies:
    7
    Views:
    3,850
    Andrey Tarasov
    Oct 23, 2004
  4. hmadra
    Replies:
    2
    Views:
    2,462
    kevin
    Jun 21, 2006
  5. nobody

    To Epson 4000 or not to Epson 4000?

    nobody, Mar 14, 2005, in forum: Digital Photography
    Replies:
    37
    Views:
    903
Loading...

Share This Page