Hi guys and girls,
I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .
My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'
interface FastEthernet1/0/1
switchport access vlan 2
switchport voice vlan 10
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
and after:
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0003.ff53.553c
switchport port-security mac-address sticky 001e.c952.553c
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
The switchport port-security mac-address sticky addresses were obtained automaticly
a show port-security interface fa1/0/1 looks like this:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0001.e324.6f48:10
Security Violation Count : 0
and my show version looks like this:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1
Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.
This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!
And now for the million doller question:
How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming
from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!
Please help,
Chris
I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .
My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'
interface FastEthernet1/0/1
switchport access vlan 2
switchport voice vlan 10
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
and after:
interface FastEthernet1/0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0003.ff53.553c
switchport port-security mac-address sticky 001e.c952.553c
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
The switchport port-security mac-address sticky addresses were obtained automaticly
a show port-security interface fa1/0/1 looks like this:
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0001.e324.6f48:10
Security Violation Count : 0
and my show version looks like this:
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1
Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.
This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!
And now for the million doller question:
How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming
from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!
Please help,
Chris