×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Port Security 4500

Unanswered Question
Apr 5th, 2006
User Badges:

I'm attempting to implement port security on a 4506 and I believe I have it configured correctly but it acts as if it is instantly aging. (i.e. I can't get it to trigger) When MAC A is on port 2/1, the secure MAC shows MAC A and the Last Secure MAC as MAC A. Also the cam creates a static entry for it on 2/1.

Then I unplug MAC A and plug in MAC B and it simply adjusts. Now instead of shutting down like it's configured to do, it shows MAC B as the secure MAC and Last Secure MAC and also the static cam entry changed. Does anyone know how to get the MAC to stay and get the port to trigger? There is no age timer, and the max is set to 1. Thanks

Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Nicholas Vigil Wed, 04/05/2006 - 13:00
User Badges:

To enable port security use the following:


set port security [mod/port] enable

set port security [mod/port] maximum 1

set port security [mod/port] violation shutdown


I hope this helps.

ankurbhasin Wed, 04/05/2006 - 20:14
User Badges:
  • Red, 2250 points or more

HI Chris,


AFAIK port security is either autoconfigured or enabled manually by specifying a MAC address and in your case it is auto configured. If a MAC address is not specified, the source address from the incoming traffic is autoconfigured and secured, up to the maximum number of MAC addresses allowed.


These autoconfigured MAC Addresses remain secured for a time, depending upon the aging timer set. The autoconfigured MAC Addresses are cleared from the port in case of a link-down event.


Now when you unplug the MAC A a link-down event will occured and will definetely clear the last mac address A leanred at that port 2/1.


The max set 1 command is just that only 1 mac address will be allowed on that port at a time so that no one can connect a hub and connected many machines to that port , this command will not let the switch to retain the mac address when you unplug the machine.


Also configure the violation conditon


set port security mod_num/port_num violation {shutdown | restrict}


Have a look at this link for more details


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_1/config/sec_port.htm#1023061


HTH, if yes please rate the post.


Ankur

chris.stepniewski Thu, 04/06/2006 - 08:27
User Badges:

Ankur,

Thank you, that explains why I'm having the issue, but now I must ask the question: Is there a way to make the port keep the learned address after a link-down event with out having to type each MAC I want to secure? (e.g. a mac-address-sticky command like on the IOS based switches.) I didn't see one in the literature but hopefully someone knows some obscure command.


Thanks again,

Chris

trangen Thu, 04/06/2006 - 14:18
User Badges:

in order for it to stay, you have to configure it to be static; e.g.


switchport port-security mac-address xxxx.xxxx.xxxx

switchport port-security violation shutdown

chris.stepniewski Fri, 04/07/2006 - 04:23
User Badges:

I understand that I can type in each MAC, what I'm asking is:


Can you have the switch learn and retain each MAC after a link-down event without having to type each MAC. No is a valid answer, I just want to make sure I'm not over looking anything.


Chris

Actions

This Discussion