Solved

Port Security LAN

Posted on 2011-03-23
4
475 Views
Last Modified: 2012-06-27
We currently use port-security on the LAN with a separate VLAN for Voice and Data. We want to protect against a person inside the LAN from disconnecting a PC then plugging in a laptop or WAP and getting an IP via DHCP...I am looking for solutions and ideals...best practice ETC. What options are there besides using 802.1x
0
Comment
Question by:markra4508
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 7

Assisted Solution

by:enzogoy
enzogoy earned 83 total points
ID: 35203911
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.

Problem:  When you replace the desktop, you have to remember to change the mac address in the switch config too.
0
 

Author Comment

by:markra4508
ID: 35204009
thanks for response,

Will look into this option
0
 
LVL 4

Assisted Solution

by:kloux
kloux earned 83 total points
ID: 35204149
You want something like this. Use the sticky command so you don't have to enter all the Mac addresses manually and limit the number to 2. One Mac for the PC and one for the phone if they are using the same port on the switch.


Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security              :Enabled
Port Status                :Secure-up
Violation Mode             :Shutdown
Aging Time                 :0
Aging Type                 :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses      :5
Total MAC Addresses        :0
Configured MAC Addresses   :0
Sticky MAC Addresses       :11
Last Source Address        :0000.0000.0401
Security Violation Count   :0
0
 
LVL 3

Accepted Solution

by:
jerbear1337 earned 84 total points
ID: 35204703
enzogoy:
You can set that port security to a mac address of the ethernet of that desktop.  It will stop that port to connect to anything else.  

Please note authentication via mac address is not secure.  Any one could easily spoof the mac address of an authenticated machine to gain valid network addresses.  
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router DMZ 5 100
HPE Procurve/Aruba BGP Prepend Route-Map experience? 2 77
Mac address in Nexus7K fex port 5 46
eBGP router ID question 1 24
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question