Port Security

Unanswered Question
Nov 11th, 2003
User Badges:

I have a 4500 switch and I'd like to enable port security on all workstation ports. Ideally, I'd like to have the MAC address dynamically learned and not have to do it by statically configuring MAC addresses on each interface. Is this possible? I pretty much accepted the defaults for port-security configs. I tried experimenting with the aging timers, but still couldn't get it to work. All I see is that the MAC address for the port changes and no security is enforced. I've checked the links on Cisco's site for cat4500 port security and don't see any relevant information. Thanks - Rich

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rpinon Tue, 11/11/2003 - 11:28
User Badges:

I have a 4503, at each interface I type in following:


switchport port-security maximum x

x - number of maximum allowed MAC address you want on this port, helps keep those mysterious hubs from sprouting


switchport port-security violation shutdown - to shutdown port if "violated"


there are other parameters you can checkout, hope it helps


Best Regards

Ray



r.crist Tue, 11/11/2003 - 11:45
User Badges:

Ray:


That's how I have the switch configured. Instead of shutting down the port when it sees a new MAC address, it just learns the new MAC address. I can see the MAC address change by issuing 'sh port-sec int f2/1'. Only when I statically configure a MAC address for the port does it shutdown when it sees a new MAC address..


I wonder if it's a problem with the version of code I'm running: 12.1(19)EW1


Thanks,

Rich

tbaranski Tue, 11/11/2003 - 11:37
User Badges:
  • Bronze, 100 points or more

There's a "sticky" keyword that does what I believe you're looking to do, but interestingly enough there's no mention of it in the 4500's port security documentation. Other IOS switches, such as the 2950, support it: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7f.html#1038501


"Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it."

r.crist Tue, 11/11/2003 - 11:54
User Badges:

Thanks for the reply.. I saw that info in an old post relating to port security and tried it on the 4500 - no luck! The 'sticky' parameter isn't supported on that platform I suppose. I found some port security bugs, but none similar to what I'm seeing. Thanks again.. Rich

rpinon Tue, 11/11/2003 - 12:21
User Badges:

I forgot to mention, did you put interface into access mode,,

(switchport mode access)

It's the only way port security will work on the 4500,, apologize, forgot to mention it originally.

The IOS that came with switch did not show this, when I upgraded to next version, error warning appeared.. go figure


Ray

r.crist Wed, 11/12/2003 - 11:20
User Badges:

Heard from TAC on this one.. The 4500's don't support 'sticky' in the current releases and no indication as to when this will be added to code. Thanks to everyone who replied. -Rich

Actions

This Discussion