By default a port can learn 132 mac addresses on most switches. This can be restricted by the "Port Secure Max-mac-count (1-132)" command. If this is set to 1 it will not accept any additional Macs on the port.
>From: "JohnZ" >Reply-To: "JohnZ" >To: [EMAIL PROTECTED] >Subject: Re: How to restrict hubs in a LAN [7:54937] >Date: Sun, 6 Oct 2002 06:52:05 GMT > >Well, when I wrote the orginal post I knew I will have these questions. >Basically the first layer of support or help desk if you will have more PCs >then the drops in their cubes. This is an old building not meant for an IS >staff so there is some frustration on their part. I am not going to >question >if there is a legit need for folks to have 5 PCs when there is infact a >seperate staging area to set up and test pcs for users. Any ways they know >enough to be dangerous and there is no standard on hubs and I have seen >where folks have created loops. Now with Windows XP I have seen some >configs >where 2 nics have been bridged via software I am not sure with what intent. >Although it's been made clear many times not to use hubs but this is never >enforced and I did not want to spend my time daily trying to hunt down the >lawless. So that's when I thought if I could config the switch this will >discourage the hub usage or bridging within pcs. I hope that answers most >of >the questions here. >""David j"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > See inline.. > > Chuck's Long Road wrote: > > > > > > as much of a rulemeister as I am, I still have to look at this > > > from the user > > > standpoint. Why are users throwing their own hubs onto the > > > network? Is there > > > a business case to be made? Is facilities too slow getting > > > requested cable > > > pulls done? > > > > > > what is the concern with a user plugging a hub in at the desk > > > and then > > > connected a couple of extra PC's? if the problem is one of dual > > > homing by > > > accident or otherwise, I can see the issue with spanning tree > > > recalculations. But in a single home situation, what do you > > > see as the > > > issues? > > > > > > > I see one issue: collisions, if you have a switched network you don't >want > > to deal with collisions that hubs normally produce. I have to recognize, > > though, that hubs sometimes are very convenient and I'm the first on >using > > them. > > > > > when you say that "politically, it's a mess" what does that > > > mean? high > > > powered sales people throwing their weight around? management > > > does not > > > respect your input or concerns? something bad is happening, and > > > it's rolling > > > downhill? > > > > > In some environments it's politically unacceptable, I know some >hospitals >in > > which you have to fill in a lot papers before being allowed to use a PC, >so > > in that environments this could perfectly be part of the policy. > > > > > I'm not questioning the wisdom or the necessity for doing what > > > others have > > > suggested. I'm just wondering why it is necessary for the > > > network manager / > > > network staff to unilaterally cut off user access. > > > > > > > > > > > > > > > ""John Zaggat"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Thanks guys that's pretty good information, but do you think > > > in your > > > opinion > > > > is that good approach to deal with this problem. Do you see > > > any caveats > > > and > > > > are there any other ways this can be dealt with. > > > > ""Kevin Wigle"" wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > take a look into Port Security. > > > > > > > > > > > > > > > > > > > >http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration > > > > > _guide_chapter09186a008007f2dd.html > > > > > > > > > > In the event of a security violation, you can configure the > > > port to go > > > > into > > > > > shutdown mode or restrictive mode. The shutdown mode option > > > allows you > > > to > > > > > specify whether the port is permanently disabled or > > > disabled for only a > > > > > specified time. The default is for the port to shut down > > > permanently. > > > The > > > > > restrictive mode allows you to configure the port to remain > > > enabled > > > during > > > > a > > > > > security violation and drop only packets that are coming in > > > from > > > insecure > > > > > hosts. > > > > > > > > > > Kevin Wigle > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "John Zaggat" > > > > > To: > > > > > Sent: Saturday, October 05, 2002 5:01 PM > > > > > Subject: How to restrict hubs in a LAN [7:54937] > > > > > > > > > > > > > > > > I am just trying to think of how to restrict Hubs from > > > being used in > > > the > > > > > > LAN. Politically it's a mess and despite a lot of > > > discussions certain > > > > > people > > > > > > are able to add hubs at will where ever they want. So I > > > was trying to > > > > > think > > > > > > of a way to stop that within the switch. Now normally > > > these ports that > > > > the > > > > > > hubs are connected to show several mac addresses when I > > > do "show cam" > > > > > which > > > > > > gives me an idea is there any way to restrict host ports > > > to only > > > accept > > > > > one > > > > > > mac-address. I don't want to hardcode the mac-address > > > because that > > > would > > > > > be > > > > > > too much a administrative burden. But if I could restrict > > > the port to > > > > > accept > > > > > > just one mac-address then that will make these hubs > > > useless. Well > > > > anyways > > > > > > let me know if I am way off here but are there any other > > > tricks in > > > use > > > > by > > > > > > any of you guys. I'll appreciate any pointers. > > > > > > JZ _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54962&t=54937 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
