Port Security - Real World Advice\Experience
laidbackfreak
Member Posts: 991
Ok I'm doing some more work on port security and am happy enough with everything. So I'm now looking to roll this out to a production enviroment and I get to thinking about clearing any violations that occur following office moves etc. Now that's easy enough to deal with as desktop support are usually aware of this and will let us know which ports are going to be affected so we can clear the mac addreses as needed.
But I was wondering what to do in situations such as conference rooms where multiple (Unkown number) devices could be connected to the Lan.
I suspect I will set a HIGH max-number and monitor it.
I've been looking around and found I can set a timer on any violations and wondered if it was possibll to set some kind of automatic clear of the mac address, I'll have another look for that tomorrow but does anyone know if thats possible?
How do others deal with these issues?
But I was wondering what to do in situations such as conference rooms where multiple (Unkown number) devices could be connected to the Lan.
I suspect I will set a HIGH max-number and monitor it.
I've been looking around and found I can set a timer on any violations and wondered if it was possibll to set some kind of automatic clear of the mac address, I'll have another look for that tomorrow but does anyone know if thats possible?
How do others deal with these issues?
if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
Comments
-
ColbyG Member Posts: 1,264Aging time is what clears the MAC after a period of time. You can avoid the port going err-disable by using restrict or protect.
-
laidbackfreak Member Posts: 991Cheers Colby only skimmed the article but I was under the impression it cleared the error but mainted any known mac address.
I'll double check itif I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
ColbyG Member Posts: 1,264I'll explain it a little better. When using "switchport port-security maximum 2" (for instance), the switch allows two MACs connected at a time, by default, when one host is unplugged its MAC is cleared. If you were to use the "switchport port-security aging time 5" command, it would take 5 minutes for that MAC to age out once the host was disconnected.
Does that make more sense? -
laidbackfreak Member Posts: 991Ah yes that makes more sense, so following on from that. What happens if sticky ports are in place ?if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-)
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□laidbackfreak wrote: »Ah yes that makes more sense, so following on from that. What happens if sticky ports are in place ?
That port will associate a mac address to it for a particular amount of time. From there you can do switchport port-sec vio shutdown and kill the port. Then someone would have to issue a no shut command to get the port back up.
I think the standard is 2 sticky macs (1 for the phone, and 1 for pc). Keep in mind though that many phones (like mine) are switches themselves so keep this in mind if you have users that use more that 2 things that connect via ethernet (like me). -
laidbackfreak Member Posts: 991That port will associate a mac address to it for a particular amount of time.
I was under the impression that the sticky feature put the mac address into the running config. And the only way to clear it was to issue a clear command (or no switchport security).
If there is a way to clear it automatically I'd love to know, but I kinda think that defeats the purpose of having sticky ports.if I say something that can be taken one of two ways and one of them offends, I usually mean the other one :-) -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□So we were both right....great find Colby!