port security on cisco cat 4000 switch

Discussion in 'Cisco' started by Butre, Oct 28, 2003.

  1. Butre

    Butre Guest

    i have a cat 4000 switch (6.3(3))

    i would like to apply port security on 10 ports, these ports are all
    patched thru to our boardroom and i only want to allow 10 mac
    addresses to connect to our LAN using these 10 ports, this is to
    secure our internal LAN so that guest do not accidently connect to one
    of our LAN ports (i have an external network setup for them on a
    different switch) so they are forced to use that network)

    i first wanted to test this by securing 2 ports and allowing 2 mac
    addresses

    this is what i did

    --------------------------
    Mon Aug 19 2002, 23:44:52
    switch-4006> (enable) set port security 3/13 enable
    Port 3/13 security enabled.
    Trunking disabled for Port 3/13 due to Security Mode.
    switch-4006> (enable) set port security 3/13 maximum 2
    Port 3/13 security maximum address 2.
    switch-4006> (enable) set port security 3/13 violation restrict
    Port 3/13 security violation mode restrict.
    switch-4006> (enable) set port security 3/13 00-20-e0-8a-3b-74
    ..
    Mac address 00-20-e0-8a-3b-74 set for port 3/13.
    switch-4006> (enable) set port security 3/13 00-04-76-5e-c2-ab
    ..
    Mac address 00-04-76-5e-c2-ab set for port 3/13.
    switch-4006> (enable) show port security 3/13
    Port Security Violation Shutdown-Time Age-Time Max-Addr Trap
    IfIndex
    ----- -------- --------- ------------- -------- -------- --------
    -------
    3/13 enabled restrict 0 0 2 disabled
    167

    Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr
    Shutdown/Time-Left
    ----- -------- ----------------- -------- -----------------
    ------------------
    3/13 2 00-20-e0-8a-3b-74 - - no
    -
    00-04-76-5e-c2-ab
    switch-4006> (enable) set port security 3/16 enable
    Port 3/16 security enabled.
    Trunking disabled for Port 3/16 due to Security Mode.
    switch-4006> (enable) set port security 3/16 00-04-76-5e-c2-ab
    Mac address 00-04-76-5e-c2-ab already configured for port 3/13.
    switch-4006> (enable) set port security 3/16 00-20-e0-8a-3b-74
    Mac address 00-20-e0-8a-3b-74 already configured for port 3/13.
    switch-4006> (enable)

    What i would like to do is to secure 10 ports that will all allow the
    same 10 mac addresses.

    why is it not letting me do this? who could help me?

    thanks
    butre
     
    Butre, Oct 28, 2003
    #1
    1. Advertisements

  2. Butre

    Ivan Ostres Guest

    dot1x

    Ivan
     
    Ivan Ostres, Oct 28, 2003
    #2
    1. Advertisements

  3. When you add a secure MAC address to a port, the switch adds a static
    entry to the CAM table mapping the MAC address to the port. The
    reason you can't add the same secure MAC address to multiple ports is
    because you can't have the same MAC address mapped to multiple ports
    in the CAM table -- the switch can't know which port to forward such
    packets out of.

    You can use 802.1x as suggested by someone else, or you can use VMPS.
    The latter may be easier. Cat4000's support VMPS Server functionality
    as of 7.2.

    -Terry
     
    Terry Baranski, Oct 29, 2003
    #3
  4. Butre

    Ivan Ostres Guest

    Yup, It might be easier, but dot1x will provide additional functionality.

    Ivan
     
    Ivan Ostres, Oct 29, 2003
    #4
  5. Butre

    Butre Guest

    Thanks for the replies, it has been very helpfull and educational

    I have been advised by the company that installed the network 2 years
    ago that they would not use VMPS, they claim VMPS was introducted by
    Cisco as other network vendors offered this product so it was more a
    case of cisco had to offer this functionality but please don't use it.

    I think i will look into 802.1x.

    Thanks
    Butre
     
    Butre, Nov 1, 2003
    #5
  6. I've had a lot of success with it. But YMMV.

    -Terry
     
    Terry Baranski, Nov 2, 2003
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.