Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
1
Replies

LAN port security

wilson_1234_2
Level 3
Level 3

‎10-25-2007 04:22 AM - edited ‎03-05-2019 07:18 PM

I am trying to understand a port security configuration.

I want to configure port security to only allow the addresses attached to the ports on the switch as they are right now.

I was trying to do this without entering every single mac-address.

I configured the ports as shown, depending on the number of devices attached (phone/workstation or just a phone or just a prininter).

I configured a phone port as shown below, unplugged the existing phone and plugged in another and it came up just fine.

after that, I put the original phone mac address in rather than the "max 1" command and the port kept shutting down due to violation after plugging the original phone back in.

My questions are:

Does the config shown allow "ANY" single mac address on the port?

Shouldn't the stickey add the mac from dynamic to static on the port?

What are the aging parts doing?

Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?

It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.

I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.

switchport port-security

switchport port-security aging time 5

switchport port-security violation shutdown

switchport port-security aging type inactivity

switchport port-security mac-address sticky

Labels:
0 Helpful
1 Reply 1

Hieu Cao
Level 4
Level 4

‎10-25-2007 12:29 PM

what's your switch model?

Does the config shown allow "ANY" single mac address on the port?

- Yes

Shouldn't the stickey add the mac from dynamic to static on the port?

- Yes

What are the aging parts doing?

- mac-address is removed from port after xx minutes. Aging does not apply to "sticky" ports though.

Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?

- You need to add another entry for the first phone, then plug it in the port again. It's best that you use "switchport port-security maximum xxx" to control the maximum mac-addresses allowed per port.

Assuming that you're using 3560 switch, take a look at this document for more information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtrafc.html#wp1038546

HTH,

hieu

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card