11-10-2008 03:14 AM - edited 03-06-2019 02:23 AM
Hi again guys and girls.
quick qustion about port security. Please answer to prevent me from going insane here!!
When setting up port-security and not using the 'sticky' options, the mac addresses will be saved on the switch as 'securedynamic' . If I unplug this device, should the mac address continue to be resident on the switch, thus keeping the port safe, or will it be deleted.
pls answer somebody.
Thanks,
Chris
11-10-2008 03:19 AM
Chris
Dynamic secure mac-addresses are stored in the address table and if you restart the switch it should not be there when the switch restarts. It can't be there because the switch stores them in it's memory while in operation unlike the sticky option which allows you to store them in the running-config.
Jon
11-10-2008 04:32 AM
Thanks Jon.
The question is though, if I disconnect my pc from the switch, will the switch continue to store the pc mac or will it discard it.
Regards,
Chris
11-10-2008 04:36 AM
Ah, apologies for the misunderstanding Chris.
That all depends on the port-security aging parameter. Please have a look at this link which explains about the aging time -
Jon
11-10-2008 04:57 AM
Thanks again, Jon.
My config looks like this after setting up the aging:
interface FastEthernet4/0/27
switchport access vlan 2
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security aging time 120
switchport port-security violation protect
priority-queue out
mls qos trust cos
no mdix auto
fair-queue
spanning-tree portfast
If I plug in my notebook to this port, I get this:
3750-LL-1#show port-security interf fa4/0/27
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Protect
Aging Time : 120 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000f.1fbe.2669:2
Security Violation Count : 0
and if I unplug it, I get this:
3750-LL-1#show port-security interf fa4/0/27
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 120 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 000f.1fbe.2669:2
Security Violation Count : 0
and after unplugging my notebook, I get 0 entries after entering:
show port-security address.
If seems like my mac is killed after unplugging my notebook.
Regards,
Chris
11-10-2008 06:47 AM
Chris
Sorry i am a little confused by your output. After you unplugged the device the mac-address was still showing according to the second "show port-security interf fa4/0/27".
Jon
11-10-2008 07:15 AM
No problem Jon.
After unplugging my notebook, the mac address could not be found anywhere on the switch. This means that an intruder could plug in to this port and access my network.
Chris
11-10-2008 07:18 AM
Chris
I know from painful experience that this should work as at the last place i worked we had users who continually were changing which PC was connected into the switch port and it was always locking them out.
Have you tried plugging in another machine after unplugging your mac.
I will have another look at config and if i get time today or tomorrow i have a 3550 laying around i could run a few quick tests on.
Jon
11-10-2008 07:42 AM
Thanks a lot Jon.
I have been trying to get this to work for a few days now and can only get it to work with 'sticky' addresses. This is not of any use to me because I have some ip phones using the voice vlan. The voice vlan only supports secure dynamic addresses.
I would really appreciate any help!
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: