We help IT Professionals succeed at work.

Cisco Switch Question

Jack_son_
Jack_son_ asked
on
How can I bind an IP address to a port in the Cisco IOS?  I want to prevent other devices to be plugged into that port only allowing the single MAC.

Comment
Watch Question

Head of IT Security Division
CERTIFIED EXPERT
Top Expert 2010
Commented:
Hi,

you need:

Conf t
 int fas 0/x
 switchport port-security
 switchport port-security max 1
 switchport port-security mac-address sticky
 switchport port-security violation rest

http://www.conetrix.com/Blog/post/Cisco-Port-Security-and-Sticky-MAC-Addresses.aspx
Hi,

In addition to ikalmer's comment, make sure the port is an access port because port security cannot be enable on a dynamic access port - switchport mode access.

Author

Commented:
great thanks; so it will only allow the 1 ip address?


Also, what is the violation rest do?  Trying to learn this better!

Thanks,

Marius GunnerudSenior Systems Engineer
Top Expert 2013
Commented:
It wont take one IP address but will restrict the port to allowing only one MAC address.  Be very carefull when using the sticky command though.  Be 100% sure that the correct device will be the first to connect to the port.  otherwise configure the MAC address manually.

Author

Commented:
great, thanks - I may do manual and sticky both; i tested and works great.  The only issue is bringing the port back up did not work with no shut in global config mode, is there another way?  Second, how do you clear the mac if the user changes?

Marius GunnerudSenior Systems Engineer
Top Expert 2013
Commented:
Rest is shorthand for restrict.  this means that the port will ignor all traffic but sends SNMP trap to the configured server.  I would suggest setting it to shutdown (depending of course on how many ports you plan to configure and manage).  This will place the port in err disable state and will require a manual reset to get the port back up and running.
Marius GunnerudSenior Systems Engineer
Top Expert 2013
Commented:
you will need to do the shut, no shut on the interface level. Or you can issue the command errdisable recovery in global configuration mode

Author

Commented:
that did the trick - thanks, this solution works great!
Marius GunnerudSenior Systems Engineer
Top Expert 2013

Commented:
keep in mind that the errdisable recovery will clear all err disabled interfaces...might be better to do it one at a time to keep an overview of where the issues are occuring.  You can issue the command clear port-security sticky interface fa0/1 where fa0/1 is the interface where you have configured switchport port-security command. If you are using the sticky command you can reboot the device and that will clear the MAC address configuration.  You could also remove the command and then re-add it with the new MAC address.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.