cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
889
Views
14
Helpful
4
Replies

Basic port security qeustion

Joshuabowers
Level 1
Level 1

The environment I work uses the following

 

switchport portsecurity

switchport portsecurity max #

switchport portsecurity age time 2

 

and in my CCNA class they talk about using switchport port-security mac sticky(May or may not be right syntax). Does this sticky command have to be enable for proper use of the above commands or is it enabled by default so the switch learns the address and forget them in 2 mins.

 

1 Accepted Solution

Accepted Solutions

yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline

I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky

View solution in original post

4 Replies 4

Mark Malone
VIP Alumni
VIP Alumni

mac address sticky binds the mac address learnt to the port or you can configure a sticky mac(makes it static) , you would not usually specify an ageing timer if your using sticky as you don't want that mac to be removed you want it to stick to the port and be static, this is an optional command and can be used separately or in conjunction with other port-security commands

the command would need to be enabled check this link

http://www.freeccnaworkbook.com/workbooks/ccna/configuring-sticky-switchport-security

 

OK

So with out the sticky command, the switch can still learn a mac address for 2 mins and shutdown when 2+ devices connect.

 

This situation is usually is set up in the dorm rooms of campus. I guess previous management wants to limit mac-address, so spoofing can be harder. In my CCNA classes they said to always use sticky mac address. A example for a port on campus is

 

switchport port-security

switchport port-security max 2

switchport port security aging time 2

switchport port security violation shutdown.(I know this is default.)

yes as soon as 3 macs are seen the port will shut, also you should use err-disable recovery psecure-violation and security violation so when it happens port shuts but when the 3 mac is removed the port comes back up otherwise you will be going around manually bringing ports backonline

I wouldn't use sticky in your scenario , sticky learns dynamic macs puts them in secure table basically making them static so only 2 and thats it will be able to join until you clear the port-security , without sticky any 2 macs continuously will be able to join the port.It depends if you know the first 2 macs that join the port will always be there then sticky is good if different macs constantly joining but only 2 at a time then don't use sticky

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi ,

Check out the below definition for portsecuirty features.

Switch(config-if)#switchport port-securityEnable port security feature on this port
Switch(config-if)#switchport port-security maximum 1Set limit for hosts that can be associated with interface. Default value is 1. Skip this command to use default value.
Switch(config-if)#switchport port-security violation shutdownSet security violation mode. Default mode is shutdown. Skip this command to use default mode.
Switch(config-if)#switchport port-security mac-address stickyEnable sticky feature.

 

With sticky feature interface learn mac address automatically till it reaches the maximum number of allowed hosts.

Age Time commands means :- By the end of timer it clear mac from CAM table and make inactivity till if it hasn't been seen any traffic sourced from this mac on this port since timer value clear the MAC from CAM table.

Hope it Helps..

-GI

Rate if it Helps..

Review Cisco Networking for a $25 gift card