Re: Secure Port Setup For Cisco from Mike Gadoury on 2003-08-05 (CampusMgr)

From: Mike Gadoury <gadoury_at_bradford-sw.com>
Date: Tue, 05 Aug 2003 18:09:39 -0400

Follow these guidelines when configuringport security:

* Port security can only be configured on static access ports.

* A secure port cannot be a dynamic access port or a trunk port.

* A secure port cannot be a protected port.

* A secure port cannot be a destination port for Switch Port
Analyzer (SPAN).

* A secure port cannot belong to a Fast EtherChannel or Gigabit
EtherChannel port group.

* A secure port cannot be an 802.1X port.

* You cannot configure static secure MAC addresses in the voice VLAN.

    * When you enable port security on a voice VLAN port, you must set
      the maximum allowed secure addresses on the port to at least two.
      When the port is connected to a Cisco IP phone, the IP phone
      requires two MAC addresses: one for the access VLAN and the other
      for the voice VLAN. Connecting a PC to the IP phone requires
      additional MAC addresses.

Mike Gadoury wrote:

> Before Campus Manager can use port security to disable a MAC address,
> the Switch must be configured for port security.
>
> Example configuration:
>
> The switch is a Cisco 2950, with multiple vlans, VLAN ID's 1,2,3. The
> clients that will potentially be disabled are all connecting via VLAN
> 2. VLAN 2 is on ports 6-18 and port 18 is a port where clients cannot
> connect (i.e a printer may be connected there, or the port is reserved).
>
> For Campus Manager to work, the port on VLAN 2 where clients cannot
> connect, port 18 must be enabled as a secure port. The CLI commands to
> do this are:
>
> enable
> configure terminal
> interface fastEthernet 0/18
> switchport port-security
> switchport port-security maximum 120
> end
>
> You can verify that the port is secure with the following command
>
> show port-security
>
> Secure Port MaxSecureAddr CurrentAddr SecurityViolation
> Security Action
> (Count) (Count) (Count)
> -------------------------------------------------------------------------------
>
> Fa0/18 120 0 0 Shutdown
> -------------------------------------------------------------------------------
>
> Total Addresses in System : 0
> Max Addresses limit in System : 1024
>
>
> Note: The switch must also be a member of the "Physical Address
> Filtering" Group within Campus Manager.
>
> Once this is complete users can disable clients connected to the
> switch on VLAN 2.
>
Received on Tue Aug 05 2003 - 22:09:40 EDT

This archive was generated by hypermail 2.2.0 : Tue Jan 06 2009 - 18:00:04 EST