cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

2960 Port Security

11420
Views
0
Helpful
6
Comments

Question

Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!

 

Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow along on the switch as I go. Here's what I've done as evidenced by the show run config command:

 

interface FastEthernet0/2
switchport mode access
switchport port-security

According to the book this should enable Port Security on the port with the following defaults

Max allowed addresses 1

Action Shutdown

The book goes on to say that predefining any mac-addresses is optional and sticky learning is optional as well.  I plug one of my MacBooks into Fa0/2, and console responds with up/up. I unplug and plug another MacBook into Fa0/2 and it goes up/up again and doesn't go down. do it a few more times and still no shutdown.  I do a show port-security and I see that every time  I unplug a MacBook, the current address count goes back to zero.

 

2960#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/2 1 0 0 Shutdown

 

So either the book fails to mention that for the port security default action to take place, their needs to be a defined or sticky learned address, or I'm doing something wrong. 

 

 

Thanks

 

 

 

Answer

 

Comments
Beginner

With switchport security you have to add a few more lines.  Here is some definitions and examples.  Hope it helps!!!

  • To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command.
  • To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value.
  • To delete a MAC address from the address table, use the no switchport port-security mac-address mac_address command.
  • To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command.

The difference between each port security mode according to Cisco:

  • protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
  • restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
  • shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

 

  • To disable sticky learning on an interface, use the no switchport port-security mac-address sticky command. The interface converts the sticky secure MAC addresses to dynamic secure addresses.
  • To delete a sticky secure MAC addresses from the address table, use the no switchport port-security sticky mac-address mac_address command. To delete all the sticky addresses on an interface or a VLAN, use the no switchport port-security sticky interface interface-id command.
  • To clear dynamically learned port security MAC in the CAM table, use the clear port-security dynamic command. The address keyword enables you to clear a secure MAC addresses. The interface keyword enables you to clear all secure addresses on an interface.

This example shows how to enable port security on Fast Ethernet port 12 and how to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# interface fastethernet 3/12

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 5

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# end

Switch# show port-security interface fastethernet 3/12

Port Security              :Enabled

Port Status                :Secure-up

Violation Mode             :Shutdown

Aging Time                 :0

Aging Type                 :Absolute

SecureStatic Address Aging :Enabled

Maximum MAC Addresses      :5

Total MAC Addresses        :0

Configured MAC Addresses   :0

Sticky MAC Addresses       :11

Last Source Address        :0000.0000.0401

Security Violation Count   :0

 

This example shows how to configure a secure MAC address on Fast Ethernet port 5/1 and verify the configuration:

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# interface fastethernet 5/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 10

Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# 

switchport port-security mac-address sticky 0000.0000.0001 (Sticky static MAC)

Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002

Switch(config-if)# end

Switch#show port address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan    Mac Address       Type                     Ports   Remaining Age

                                                              (mins)

----    -----------       ----                     -----   -------------

   1    0000.0000.0001    SecureSticky             Fa5/1        -

   1    0000.0000.0002    SecureSticky             Fa5/1        -

   1    0000.0000.0003    SecureConfigured         Fa5/1        -

 

------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 2

Max Addresses limit in System (excluding one mac per port) : 1024

 

Hi,

If you enable port security, it will allow a maximum of 1 mac address.. that means, if switch port detects more than one mac address, then port will go to shutdown. For exambex if you connect more than one pc to that switch port using a hub/switch.  If you want to specifically assign a pc, then you can do it by manually configuring ir by sticky methods..

Hope this will help.

~Unni

Hello,

You are doing everything right. When you disconnect the first Macbook the port goes down and the MAC is cleared. 

 

If you want to see the port disabled you could use vmware Fusion and fire up a vm in bridge mode. The vm will use its MAC and then the 2960 will see two. 

 

Or connect a cheap switch to the port and connect both MacBooks. Amazon has USB to Ethernet adapters for Mac for $30. That would work also. 

 

Or buy a used VoIP phone on eBay for under $30 and use the switch in the phone. I use Aastra phones and AsteriskNow in my lab. 

 

That has the advantage that you can play with switchport port-security maximum 1 vlan voice and LLDP MED. 

 

Learning port security is a great skill. Most people don't use it because they don't understand all the intricacies but it is a great first layer of security. 

Beginner
Michael,

Thanks for the advice! Im using VirtualBox now with Win XP 64 so I can get PT on my Mac. But ill try the VM setup you suggested. Im also n the market for a used router that will let me duplicate any IOS commands use in the 100-105 Odom book. Any suggestions(id like to stick to hardware)?
Thanks
Nick
Beginner

One possibility:

https://www.ebay.com/itm/Cisco-Catalyst-3560-WS-C3560-48PS-S-48-Port-PoE-10-100-FE-Fast-Ethernet-Switch/381829332599?hash=item58e6cd3e77:g:70cAAOSwZrhaeyZY  $39

I didn't buy mine from there, but with my version I wasn't able to implement ssh due to the wrong bin ios. (Sorry, you wanted a router.)

Router:

https://www.ebay.com/itm/Cisco-2801-Router-IOS-15-1-4-M-CME-8-6-CCENT-CCNA-CCVP-CCIE-CCSP-LAB-256D-256F/301121633003?epid=1831444869&hash=item461c3f7aeb:g:X~MAAOxyOlhSy8rn

 

Problem:

Could not ping between f0/5 and f0/6 below. Computer with ff12 arp was moved from 0/47 with an 8 port switch to port f0/5.

 

Solution:
conf t
int f0/47
no switchport port-security mac-address sticky 0024.81e9.ff12

The 2 pcs starting pinging each other just fine.

 

interface FastEthernet0/5
switchport mode access
spanning-tree portfast


interface FastEthernet0/6
switchport mode access
spanning-tree portfast


interface FastEthernet0/47
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.81e9.ff12
switchport port-security mac-address sticky c0f8.da54.0a3d

Beginner

Excellent post! I learn something new from you guys and gals all the time. Had to login to say Thanks!

jhh