changing devices attached to port security?

baselzind · ‎04-24-2016

recently port security been implemented to my environment as shown in the below commands , i think if other phone and pc got connected it will have it traffic drop correct? my question is how do i configure the new devices with the new mac if the old mac address is stored ?

also "switchport port-security maximum 1 vlan access" and "switchport port-security maximum 1 vlan voice" is a command to allocate the number of mac addresses allowed on each vlan correct?

a side question what does "no logging event link-status" do?

interface GigabitEthernet
switchport access vlan x
switchport mode access
switchport voice vlan x
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky x.x.x.x
no logging event link-status

Mark Malone · ‎04-25-2016

Hi at the minute the port is set to learn the mac connected as dynamic but then store it as sticky(like static mac) so yes if you add another device port will go to restricted mode as that's whats set , the other option is to shutdown the port

clear port-security dynamic address x.x.x will remove the sticky from port-security

Yes the maximum commands above limit each vlan 1 mac address

If the link bounces it doesn't log it to buffer or syslog depending what's running-no logging event link-status"

baselzind · ‎04-25-2016

1- does " NO switchport port-security mac-address sticky" have the same effect as "clear port-security dynamic address x.x.x " like does it remove the violation and reset the binded mac address?

2-in restricted violation what happens when a violation happen? does the port stay up but it doesnt connect?? does only the binded mac address work and the other wont? or the port stop working completely for all devices?

3-is it true if a mac is binded to another port in sticky port security , it will not work in another port ?

Mark Malone · ‎04-26-2016

1 I haven't tested that I only used the latter when required but I presume both would remove the mac from the security database and do the same thing ,1 clears it from the database an the other removes it from being sticky and back to dynamic so if switch is rebooted it wont be there when it comes back up

2 Only the effected device that was restricted stops working the other one will still work , shutdown is more preferred option for security rather than restrict, if your constantly being attacked its going to effect cpu with restrict on as it has to do a lot more than just shut the port down, it works wioth snmp to send notification and also keeps a counter

3 I havnt tested that either you could easily do it with spare phone , but I would have thought it wouldn't as its already registered in the layer 2 security database , if you went out of the broadcast domain it may work but I would have to test it to see exactly

baselzind · ‎04-26-2016

if i use a hub on a port with port security , i need to increase the maximum number of mac addresses according to how many devices im connecting correct?? or does it count as a single mac address?

Mark Malone · ‎04-26-2016

If you connect a hub up to the switch port and then add multiple devices to it yes you will need to increase the maximum allowed addresses as the macs are still sent o that switchport

baselzind · ‎04-27-2016

how can i know the port is no longer in violation? is there any indication? as i think the violated port would be up but not functional?

Mark Malone · ‎04-28-2016

You can use errdisable recovery with port-security for auto recovery , your logs should be running syslog as well so your notified regarding these issues on monitoring system

•restrict—The PFC drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the security violation counter to increment.