Cisco 2950 Switch Port Security

Hello,

I have a 2950 switch where I will have a retail Netgear switch attached to one of the ports.  The devices attached to the Netgear switch will change frequently as I will use it to work on clients' systems.

Because of the frequent system/MAC address changes, I cannot figure out how I can setup any sort of security on the 2950.

Please advise.

Thank you and have a great day,

Don
GEMCCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MiftaulCommented:
You can setup port-security with mac address as sticky and set maximum number to the number of netgears port. You will have to regularly cleanup the learned mac addresses as it fill up.
0
GEMCCAuthor Commented:
Hello,

Would I be able to set a time limit as to how long a MAC address is stored versus having to manually clean it up?

Thanks for your help,

Don
0
JustInCaseCommented:
You can still enable port security on that port (if there are some conditions met), you need to set MAC aging if port can be configured as access port as long as there is less than 132 MAC address at period of MAC aging time (0 - 1440 minutes) set for port security.


Router(config)# interface fastethernet 0/1
Router(config-if)# switchport mode access
Router(config-if)# switchport port-security maximum 64
Router(config-if)# switchport port-security mac-address sticky
Router(config-if)# switchport port-security aging time 20
Router(config-if)# switchport port-security aging type inactivity
Router(config-if)# switchport port-security violation protect
Router(config-if)# switchport port-security

Example - any MAC address will be removed from port security after 20 minutes of inactivity with maximum 64 MAC address at one time on port. When there is more than max MAC address of port - traffic from new MAC address will be dropped. You can set absolute time instead of inactivity, but more on link below

More -2950 port security
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

MiftaulCommented:
Port security aging is the option as stated by Predrag Jovic.

When any port goes ERRORDISABLE state, you might also set

SW15(config)#errdisable recovery cause psecure-violation
SW15(config)#errdisable recovery interval 1800
0
JustInCaseCommented:
If port-security violation protect, or port-security violation restrict are set - no need to errordisable since port will not go to error-disabled state. Port will be error-disabled only in port-security violation shutdown (it's default).  :)
•protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
•restrict—A port security violation restricts data and causes the SecurityViolation counter to increment and sends an SNMP trap.
•shutdown—The interface is error-disabled when a security violation occurs.
0
GEMCCAuthor Commented:
Thanks to all of the quick responses!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.