10-25-2007 04:22 AM - edited 03-05-2019 07:18 PM
I am trying to understand a port security configuration.
I want to configure port security to only allow the addresses attached to the ports on the switch as they are right now.
I was trying to do this without entering every single mac-address.
I configured the ports as shown, depending on the number of devices attached (phone/workstation or just a phone or just a prininter).
I configured a phone port as shown below, unplugged the existing phone and plugged in another and it came up just fine.
after that, I put the original phone mac address in rather than the "max 1" command and the port kept shutting down due to violation after plugging the original phone back in.
My questions are:
Does the config shown allow "ANY" single mac address on the port?
Shouldn't the stickey add the mac from dynamic to static on the port?
What are the aging parts doing?
Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?
It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.
I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.
switchport port-security
switchport port-security aging time 5
switchport port-security violation shutdown
switchport port-security aging type inactivity
switchport port-security mac-address sticky
10-25-2007 12:29 PM
what's your switch model?
Does the config shown allow "ANY" single mac address on the port?
- Yes
Shouldn't the stickey add the mac from dynamic to static on the port?
- Yes
What are the aging parts doing?
- mac-address is removed from port after xx minutes. Aging does not apply to "sticky" ports though.
Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?
- You need to add another entry for the first phone, then plug it in the port again. It's best that you use "switchport port-security maximum xxx" to control the maximum mac-addresses allowed per port.
Assuming that you're using 3560 switch, take a look at this document for more information.
HTH,
hieu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide