Solved: Basic port security qeustion

Joshuabowers · ‎09-26-2015

The environment I work uses the following

switchport portsecurity

switchport portsecurity max #

switchport portsecurity age time 2

and in my CCNA class they talk about using switchport port-security mac sticky(May or may not be right syntax). Does this sticky command have to be enable for proper use of the above commands or is it enabled by default so the switch learns the address and forget them in 2 mins.

Mark Malone · ‎10-01-2015

yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline

I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky

View solution in original post

Mark Malone · ‎09-28-2015

mac address sticky binds the mac address learnt to the port or you can configure a sticky mac(makes it static) , you would not usually specify an ageing timer if your using sticky as you don't want that mac to be removed you want it to stick to the port and be static, this is an optional command and can be used separately or in conjunction with other port-security commands

the command would need to be enabled check this link

http://www.freeccnaworkbook.com/workbooks/ccna/configuring-sticky-switchport-security

Joshuabowers · ‎09-30-2015

OK

So with out the sticky command, the switch can still learn a mac address for 2 mins and shutdown when 2+ devices connect.

This situation is usually is set up in the dorm rooms of campus. I guess previous management wants to limit mac-address, so spoofing can be harder. In my CCNA classes they said to always use sticky mac address. A example for a port on campus is

switchport port-security

switchport port-security max 2

switchport port security aging time 2

switchport port security violation shutdown.(I know this is default.)

Mark Malone · ‎10-01-2015

yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline

I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky

Ganesh Hariharan · ‎10-04-2015

Hi ,

Check out the below definition for portsecuirty features.

Switch(config-if)#switchport port-security	Enable port security feature on this port
Switch(config-if)#switchport port-security maximum 1	Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value.
Switch(config-if)#switchport port-security violation shutdown	Set security violation mode. Default mode is shutdown. Skip this command to use default mode.
Switch(config-if)#switchport port-security mac-address sticky	Enable sticky feature.

With sticky feature interface learn mac address automatically till it reaches the maximum number of allowed hosts.

Age Time commands means :- By the end of timer it clear mac from CAM table and make inactivity till if it hasn't been seen any traffic sourced from this mac on this port since timer value clear the MAC from CAM table.

Hope it Helps..

-GI

Rate if it Helps..