Locking down Cisco switch ports.
Hello, I have a cisco 2960 swith that I need to limit access to. How can I only allow access from a single MAC address?
If I have a cisco phone attached to a catalyst port, how do I limit the port that is physically on the phone?
If I have a cisco phone attached to a catalyst port, how do I limit the port that is physically on the phone?
ASKER
How do I lock down to just a specific IP address?
How do I lock down a port with a Cisco IP phone attached, since the Cisco IP phone also has a switch port.
How do I lock down a port with a Cisco IP phone attached, since the Cisco IP phone also has a switch port.
You can disable the phone's switchport in Callmanager.
Otherwise, what bec0s posted above is exactly what you need. You can't do it by IP address, but you can specify the mac-address or let the switch learn it with the sticky command above. The switch learns the first mac, and "sticks" it to that port. You can't move that device to another port on the switch.
Limiting the security to 1 single mac address with the maximum 1 command effectively does the same thing.
Otherwise, what bec0s posted above is exactly what you need. You can't do it by IP address, but you can specify the mac-address or let the switch learn it with the sticky command above. The switch learns the first mac, and "sticks" it to that port. You can't move that device to another port on the switch.
Limiting the security to 1 single mac address with the maximum 1 command effectively does the same thing.
ASKER
I understand what you are saying, but I have a cisco IP phone attached to the switch port. How do I enable only one MAC address on the phone switchport?
You can't do that specifically on the phone, but you can specify max 2 mac-addresses allowed on the switchport. This will lock down to the phone itself plus the first one device connected to the phone.
ASKER
What are the commands to specify only 2 mac addresses?
int fa0/0
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address xxxx.xxxx.xxxx
switchport port-security violation shutdown
You can use the sticky command as mentioned above but entering the MAC manually will give you more control over the MAC that connects to that port. As long as you don't have to enter a large amount of MACs, I would suggest static configuration.
Forgot to mention shutdown of the port if there is a violation is the default action
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
None of the experts responses solved the issue.
For reference
http://www.techrepublic.com/article/lock-down-cisco-switch-port-security/6123047
http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_14_ea1/configuration/guide/swtrafc.html#wp1090391
The minimum commands you should use under the interface are:
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
This will enable the switch to lock the port to the first MAC address that will "hear" on the port and permit traffic only from it untill it is rebooted.
The default action if a second MAC comes in is to shutdown the port. You can override this by using the command:
switchport port-security violation [restrict | shutdown | protect]