3550 port-security

mcmillan_jared · ‎06-23-2005

i've managed to set up port security and i need to lock the ports down by one mac well after going through each port step by step all the mac's are in the table but it shows them as dynamic address's i thought they were supposed to be static secure? i also thought that setting up port security would make so if someone changed ports on the switch that it would cause a security violation i havent been able to create a security violation yet.

paddyxdoyle · ‎06-23-2005

Hi,

How have you configured this on your switch ports, all you need to do to restrict the port to a single MAC address is:

switchport port-security

switchport port-security violation restrict

When you look at the CAM table for a specific port, the MAC address learned on that port should be listed as static and not dynamic.

my_switch#sh mac-address-table int fa 2/0/7

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

134 0003.47a4.db43 STATIC Fa2/0/7

Total Mac Addresses for this criterion: 1

EDIT: You can also issue the following command:

my_switch#sh port-security int fa 2/0/7

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0003.47a4.db43:134

Security Violation Count : 0

This shows the max allowed MACs on the port, the MAC that has been allowed and the port status as Secure_up

I believe that's all you need to do.

HTH

Paddy

amit-singh · ‎06-23-2005

Hi,

The mac addresses which are dynamically learned as listed as dynamically secure addresses. To configure static secure Mac-address you have use command " switchport port-security mac-address mac-address " interface command. If you want to make a dynamically learned Mac-address to sticky secure Mac-address so that when switch restarts it should not learn the address dynamically, use the command" switchport port-security mac-address sticky" interface commnad.

Paste the switch config to see why the security voilation is not happening.Paste the show version from the switch as well.

Please see the link for port-security and it might come handy.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/3550scg/swtrafc.htm#1092001

HTH,

-amit singh

mcmillan_jared · ‎06-24-2005

here is the switch config file and version. i'm almost positive that i'm missing something really simple but getting very frustrated with it not working.

amit-singh · ‎06-23-2005

Hi Paddy,

When you configure the port-security the addresses in the switch's Mac-address table shows you as static. You are right about it. If you want to see the status of the secure addresses you have to use the command " show port-security address " this is where it lists the exact status of the Mac-addresses when port-secrity is configured. I think Jared must have looked the same output that I am refreeing. To clear the doubt please see :

4510_Switch_C48_BASEMENT#show mac-address-table interface gig 3/4

Unicast Entries

vlan mac address type protocols port

-------+---------------+--------+---------------------+-------------------

3 0011.251a.bc23 static ip,ipx,assigned,other GigabitEthernet3/4

4510_Switch_C48_BASEMENT# show port-security address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

3 0011.251a.bc23 SecureDynamic Gi3/4 -

------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 3072

HTH,

-amit singh

ankurbhasin · ‎06-23-2005

Hi Mcmillan,

It depends the way you have done your configuration.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning.

You can configure these types of secure MAC addresses:

Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

Dynamic secure MAC addresses—These are dynamically learned, stored only in the address table, and removed when the switch restarts.

Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.

Just check this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/3550scg/swtrafc.htm#1093914

HTH

Ankur

mcmillan_jared · ‎06-23-2005

ok i think my biggest problem is overthinking the task. what i need to have for an end result is the switch ports need to only have one mac address that can connect to them. then if another mac gets connected i need the port to shut down until i unlock it. thats why i was looking at port security. but right now after issuing

int gig 0/1

switchport mode access

switchport port-security

switchport port-security max 1

switchport port-security violation shutdown

switchport port-security mac-address (mac add)

with this all done if i do a show mac-add-table all the interfaces give me a dynamic entry and if i change the ports around to try to simulate a new comp getting plugged in i cant get the ports to shutdown. sorry if my first question was vague.