Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
4
Helpful
5
Replies

Port Security 4500

chris.stepniewski
Level 1
Level 1

‎04-05-2006 11:58 AM - edited ‎03-03-2019 02:40 AM

I'm attempting to implement port security on a 4506 and I believe I have it configured correctly but it acts as if it is instantly aging. (i.e. I can't get it to trigger) When MAC A is on port 2/1, the secure MAC shows MAC A and the Last Secure MAC as MAC A. Also the cam creates a static entry for it on 2/1.

Then I unplug MAC A and plug in MAC B and it simply adjusts. Now instead of shutting down like it's configured to do, it shows MAC B as the secure MAC and Last Secure MAC and also the static cam entry changed. Does anyone know how to get the MAC to stay and get the port to trigger? There is no age timer, and the max is set to 1. Thanks

Chris

Labels:
0 Helpful
5 Replies 5

Nicholas Vigil
Level 1
Level 1

‎04-05-2006 01:00 PM

To enable port security use the following:

set port security [mod/port] enable

set port security [mod/port] maximum 1

set port security [mod/port] violation shutdown

I hope this helps.

0 Helpful

ankurbhasin
Level 9
Level 9

‎04-05-2006 08:14 PM

HI Chris,

AFAIK port security is either autoconfigured or enabled manually by specifying a MAC address and in your case it is auto configured. If a MAC address is not specified, the source address from the incoming traffic is autoconfigured and secured, up to the maximum number of MAC addresses allowed.

These autoconfigured MAC Addresses remain secured for a time, depending upon the aging timer set. The autoconfigured MAC Addresses are cleared from the port in case of a link-down event.

Now when you unplug the MAC A a link-down event will occured and will definetely clear the last mac address A leanred at that port 2/1.

The max set 1 command is just that only 1 mac address will be allowed on that port at a time so that no one can connect a hub and connected many machines to that port , this command will not let the switch to retain the mac address when you unplug the machine.

Also configure the violation conditon

set port security mod_num/port_num violation {shutdown | restrict}

Have a look at this link for more details

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_1/config/sec_port.htm#1023061

HTH, if yes please rate the post.

Ankur

chris.stepniewski
Level 1
Level 1
In response to ankurbhasin

‎04-06-2006 08:27 AM

Ankur,

Thank you, that explains why I'm having the issue, but now I must ask the question: Is there a way to make the port keep the learned address after a link-down event with out having to type each MAC I want to secure? (e.g. a mac-address-sticky command like on the IOS based switches.) I didn't see one in the literature but hopefully someone knows some obscure command.

Thanks again,

Chris

0 Helpful

trangen
Level 1
Level 1

‎04-06-2006 02:18 PM

in order for it to stay, you have to configure it to be static; e.g.

switchport port-security mac-address xxxx.xxxx.xxxx

switchport port-security violation shutdown

0 Helpful

chris.stepniewski
Level 1
Level 1
In response to trangen

‎04-07-2006 04:23 AM

I understand that I can type in each MAC, what I'm asking is:

Can you have the switch learn and retain each MAC after a link-down event without having to type each MAC. No is a valid answer, I just want to make sure I'm not over looking anything.

Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents