02-10-2018 04:57 PM - edited 03-01-2019 05:10 PM
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow along on the switch as I go. Here's what I've done as evidenced by the show run config command:
interface FastEthernet0/2
switchport mode access
switchport port-security
According to the book this should enable Port Security on the port with the following defaults
Max allowed addresses 1
Action Shutdown
The book goes on to say that predefining any mac-addresses is optional and sticky learning is optional as well. I plug one of my MacBooks into Fa0/2, and console responds with up/up. I unplug and plug another MacBook into Fa0/2 and it goes up/up again and doesn't go down. do it a few more times and still no shutdown. I do a show port-security and I see that every time I unplug a MacBook, the current address count goes back to zero.
2960#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/2 1 0 0 Shutdown
So either the book fails to mention that for the port security default action to take place, their needs to be a defined or sticky learned address, or I'm doing something wrong.
Thanks
With switchport security you have to add a few more lines. Here is some definitions and examples. Hope it helps!!!
The difference between each port security mode according to Cisco:
This example shows how to enable port security on Fast Ethernet port 12 and how to set the maximum number of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end
Switch# show port-security interface fastethernet 3/12
Port Security :Enabled
Port Status :Secure-up
Violation Mode :Shutdown
Aging Time :0
Aging Type :Absolute
SecureStatic Address Aging :Enabled
Maximum MAC Addresses :5
Total MAC Addresses :0
Configured MAC Addresses :0
Sticky MAC Addresses :11
Last Source Address :0000.0000.0401
Security Violation Count :0
This example shows how to configure a secure MAC address on Fast Ethernet port 5/1 and verify the configuration:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 10
Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)#
switchport port-security mac-address sticky 0000.0000.0001 (Sticky static MAC)
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Switch(config-if)# end
Switch#show port address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.0000.0001 SecureSticky Fa5/1 -
1 0000.0000.0002 SecureSticky Fa5/1 -
1 0000.0000.0003 SecureConfigured Fa5/1 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 2
Max Addresses limit in System (excluding one mac per port) : 1024
Hi,
If you enable port security, it will allow a maximum of 1 mac address.. that means, if switch port detects more than one mac address, then port will go to shutdown. For exambex if you connect more than one pc to that switch port using a hub/switch. If you want to specifically assign a pc, then you can do it by manually configuring ir by sticky methods..
Hope this will help.
~Unni
Hello,
You are doing everything right. When you disconnect the first Macbook the port goes down and the MAC is cleared.
If you want to see the port disabled you could use vmware Fusion and fire up a vm in bridge mode. The vm will use its MAC and then the 2960 will see two.
Or connect a cheap switch to the port and connect both MacBooks. Amazon has USB to Ethernet adapters for Mac for $30. That would work also.
Or buy a used VoIP phone on eBay for under $30 and use the switch in the phone. I use Aastra phones and AsteriskNow in my lab.
That has the advantage that you can play with switchport port-security maximum 1 vlan voice and LLDP MED.
Learning port security is a great skill. Most people don't use it because they don't understand all the intricacies but it is a great first layer of security.
One possibility:
I didn't buy mine from there, but with my version I wasn't able to implement ssh due to the wrong bin ios. (Sorry, you wanted a router.)
Router:
Problem:
Could not ping between f0/5 and f0/6 below. Computer with ff12 arp was moved from 0/47 with an 8 port switch to port f0/5.
Solution:
conf t
int f0/47
no switchport port-security mac-address sticky 0024.81e9.ff12
The 2 pcs starting pinging each other just fine.
interface FastEthernet0/5
switchport mode access
spanning-tree portfast
interface FastEthernet0/6
switchport mode access
spanning-tree portfast
interface FastEthernet0/47
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.81e9.ff12
switchport port-security mac-address sticky c0f8.da54.0a3d
Excellent post! I learn something new from you guys and gals all the time. Had to login to say Thanks!
jhh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: