Port-Security again! - pls reply!

chris.king · ‎11-10-2008

Hi again guys and girls.

quick qustion about port security. Please answer to prevent me from going insane here!!

When setting up port-security and not using the 'sticky' options, the mac addresses will be saved on the switch as 'securedynamic' . If I unplug this device, should the mac address continue to be resident on the switch, thus keeping the port safe, or will it be deleted.

pls answer somebody.

Thanks,

Chris

Jon Marshall · ‎11-10-2008

Chris

Dynamic secure mac-addresses are stored in the address table and if you restart the switch it should not be there when the switch restarts. It can't be there because the switch stores them in it's memory while in operation unlike the sticky option which allows you to store them in the running-config.

Jon

chris.king · ‎11-10-2008

Thanks Jon.

The question is though, if I disconnect my pc from the switch, will the switch continue to store the pc mac or will it discard it.

Regards,

Chris

Jon Marshall · ‎11-10-2008

Ah, apologies for the misunderstanding Chris.

That all depends on the port-security aging parameter. Please have a look at this link which explains about the aging time -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swtrafc.html#wp1042259

Jon

chris.king · ‎11-10-2008

Thanks again, Jon.

My config looks like this after setting up the aging:

interface FastEthernet4/0/27

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security aging time 120

switchport port-security violation protect

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

If I plug in my notebook to this port, I get this:

3750-LL-1#show port-security interf fa4/0/27

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Protect

Aging Time : 120 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address : 000f.1fbe.2669:2

Security Violation Count : 0

and if I unplug it, I get this:

3750-LL-1#show port-security interf fa4/0/27

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Protect

Aging Time : 120 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address : 000f.1fbe.2669:2

Security Violation Count : 0

and after unplugging my notebook, I get 0 entries after entering:

show port-security address.

If seems like my mac is killed after unplugging my notebook.

Regards,

Chris

Jon Marshall · ‎11-10-2008

Chris

Sorry i am a little confused by your output. After you unplugged the device the mac-address was still showing according to the second "show port-security interf fa4/0/27".

Jon

chris.king · ‎11-10-2008

No problem Jon.

After unplugging my notebook, the mac address could not be found anywhere on the switch. This means that an intruder could plug in to this port and access my network.

Chris

Jon Marshall · ‎11-10-2008

Chris

I know from painful experience that this should work as at the last place i worked we had users who continually were changing which PC was connected into the switch port and it was always locking them out.

Have you tried plugging in another machine after unplugging your mac.

I will have another look at config and if i get time today or tomorrow i have a 3550 laying around i could run a few quick tests on.

Jon

chris.king · ‎11-10-2008

Thanks a lot Jon.

I have been trying to get this to work for a few days now and can only get it to work with 'sticky' addresses. This is not of any use to me because I have some ip phones using the voice vlan. The voice vlan only supports secure dynamic addresses.

I would really appreciate any help!

Chris