Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Port Security

I have a 4500 switch and I'd like to enable port security on all workstation ports. Ideally, I'd like to have the MAC address dynamically learned and not have to do it by statically configuring MAC addresses on each interface. Is this possible? I pretty much accepted the defaults for port-security configs. I tried experimenting with the aging timers, but still couldn't get it to work. All I see is that the MAC address for the port changes and no security is enforced. I've checked the links on Cisco's site for cat4500 port security and don't see any relevant information. Thanks - Rich

6 REPLIES
Community Member

Re: Port Security

I have a 4503, at each interface I type in following:

switchport port-security maximum x

x - number of maximum allowed MAC address you want on this port, helps keep those mysterious hubs from sprouting

switchport port-security violation shutdown - to shutdown port if "violated"

there are other parameters you can checkout, hope it helps

Best Regards

Ray

Community Member

Re: Port Security

Ray:

That's how I have the switch configured. Instead of shutting down the port when it sees a new MAC address, it just learns the new MAC address. I can see the MAC address change by issuing 'sh port-sec int f2/1'. Only when I statically configure a MAC address for the port does it shutdown when it sees a new MAC address..

I wonder if it's a problem with the version of code I'm running: 12.1(19)EW1

Thanks,

Rich

Bronze

Re: Port Security

There's a "sticky" keyword that does what I believe you're looking to do, but interestingly enough there's no mention of it in the 4500's port security documentation. Other IOS switches, such as the 2950, support it: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7f.html#1038501

"Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it."

Community Member

Re: Port Security

Thanks for the reply.. I saw that info in an old post relating to port security and tried it on the 4500 - no luck! The 'sticky' parameter isn't supported on that platform I suppose. I found some port security bugs, but none similar to what I'm seeing. Thanks again.. Rich

Community Member

Re: Port Security

I forgot to mention, did you put interface into access mode,,

(switchport mode access)

It's the only way port security will work on the 4500,, apologize, forgot to mention it originally.

The IOS that came with switch did not show this, when I upgraded to next version, error warning appeared.. go figure

Ray

Community Member

Re: Port Security

Heard from TAC on this one.. The 4500's don't support 'sticky' in the current releases and no indication as to when this will be added to code. Thanks to everyone who replied. -Rich

195
Views
0
Helpful
6
Replies
CreatePlease to create content