Solved

Port Security LAN

Posted on 2011-03-23
4
464 Views
Last Modified: 2012-06-27
We currently use port-security on the LAN with a separate VLAN for Voice and Data. We want to protect against a person inside the LAN from disconnecting a PC then plugging in a laptop or WAP and getting an IP via DHCP...I am looking for solutions and ideals...best practice ETC. What options are there besides using 802.1x
0
Comment
Question by:markra4508
4 Comments
 
LVL 7

Assisted Solution

by:enzogoy
enzogoy earned 83 total points
Comment Utility
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.

Problem:  When you replace the desktop, you have to remember to change the mac address in the switch config too.
0
 

Author Comment

by:markra4508
Comment Utility
thanks for response,

Will look into this option
0
 
LVL 4

Assisted Solution

by:kloux
kloux earned 83 total points
Comment Utility
You want something like this. Use the sticky command so you don't have to enter all the Mac addresses manually and limit the number to 2. One Mac for the PC and one for the phone if they are using the same port on the switch.


Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security              :Enabled
Port Status                :Secure-up
Violation Mode             :Shutdown
Aging Time                 :0
Aging Type                 :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses      :5
Total MAC Addresses        :0
Configured MAC Addresses   :0
Sticky MAC Addresses       :11
Last Source Address        :0000.0000.0401
Security Violation Count   :0
0
 
LVL 3

Accepted Solution

by:
jerbear1337 earned 84 total points
Comment Utility
enzogoy:
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.  

Please note authentication via mac address is not secure.  Any one could easily spoof the mac address of an authenticated machine to gain valid network addresses.  
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now