Solved

Port Security LAN

Posted on 2011-03-23
4
474 Views
Last Modified: 2012-06-27
We currently use port-security on the LAN with a separate VLAN for Voice and Data. We want to protect against a person inside the LAN from disconnecting a PC then plugging in a laptop or WAP and getting an IP via DHCP...I am looking for solutions and ideals...best practice ETC. What options are there besides using 802.1x
0
Comment
Question by:markra4508
4 Comments
 
LVL 7

Assisted Solution

by:enzogoy
enzogoy earned 83 total points
ID: 35203911
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.

Problem:  When you replace the desktop, you have to remember to change the mac address in the switch config too.
0
 

Author Comment

by:markra4508
ID: 35204009
thanks for response,

Will look into this option
0
 
LVL 4

Assisted Solution

by:kloux
kloux earned 83 total points
ID: 35204149
You want something like this. Use the sticky command so you don't have to enter all the Mac addresses manually and limit the number to 2. One Mac for the PC and one for the phone if they are using the same port on the switch.


Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security              :Enabled
Port Status                :Secure-up
Violation Mode             :Shutdown
Aging Time                 :0
Aging Type                 :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses      :5
Total MAC Addresses        :0
Configured MAC Addresses   :0
Sticky MAC Addresses       :11
Last Source Address        :0000.0000.0401
Security Violation Count   :0
0
 
LVL 3

Accepted Solution

by:
jerbear1337 earned 84 total points
ID: 35204703
enzogoy:
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.  

Please note authentication via mac address is not secure.  Any one could easily spoof the mac address of an authenticated machine to gain valid network addresses.  
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question