cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
5
Helpful
3
Replies

Cisco 4503 - Port Security

interedlb
Level 1
Level 1

Hello,

I'm trying to implement Port Security on a Cisco 4503 switch. The network consists of two VLANs and 100+ users.

What I basically want to do is to allow all the already learned MAC addresses to communicate over the network and block any new introduced MAC addresses unless I manually enter them in the allowed list of MAC addresses.

I will use the "sticky" option so any learned or manually entered MAC addresses is saved and never lost or re-learned.

I have the following scenario in mind:

interface gigabitEthernet 0/1

switchport mode access

switchport port-security mac-address sticky

### After the already learned MAC addresses are converted to sticky, I will do a count on each interface and if for example I have 25 learned MAC on interface G0/1, I will next enter the following command ###

switchport port-security maximum 25

switchport port-security viloation restrict

Two questions:

1- Is this the correct way to transition to Port Security? Any remarks on the usage of “sticky” and the counting thing?

2- In case of a violation, the command "switchport port-security violation restrict", does it restrict the flow of data on the Cisco switch port regardless of who is trying to generate traffic? Or does it restrict the flow of data only for the MAC that generated a vilation?

Thank you for your help.

1 Accepted Solution

Accepted Solutions

Hi Raymond,

1- Yes, the 20 mac-addresses should then be sticky. This means the 20 mac-addresses will be put into the running-config, as if you entered the mac-addresses manually with the "switchport port-security mac-address xxxx.xxxx.xxxx" command.

From this follows, that you have to do a "copy running-config startup-config" to save the learned mac-addresses. When the switch reboots next time, it will already know those mac-addresses.

2- Definitely, you have to set the maximum to 21, and you may enter the mac-address manually or wait for the switch to learn it.

Again, don't forget to copy the running-config to the startup-config, once the new mac-address is learned.

Cheers:

Istvan

View solution in original post

3 Replies 3

Istvan_Rabai
Level 7
Level 7

Hi Raymond,

Your 1st question:

Before the "switchport port-security mac-address sticky" you should enter the following commands:

switchport port-security

switchport port-security maximum xx

The 1st command enables port-security at all.

The 2nd command is needed because the maximum default value is 1.

So if you don't change this to a higher value, then the sticky option will allow you to learn only 1 mac-address. Set the xx to a value that can be expected. Later you can change it to the lowest required value to deny other mac-addresses.

Your 2nd question:

The restrict option allows the port to operate but the port will drop frames from the unauthorized hosts. In addition, the switch will increment the Security Violation Counter.

You will be able to see it in the output of the show port-security interface x/y command.

Cheers:

Istvan

Hi Istvan,

Thank you for your answer. I got you regarding the "maximum" command.

Two more questions please:

1- If for example in my MAC table I have 20 learned MAC addresses and I entered the commands:

switchport port-security

switchport port-security maximum 20

switchport port-security mac-address sticky

Will all the 20 already learned MAC addresses be automatically transformed into sticky addresses without any manual configuration?

2- If after some time a new PC (New MAC address) needs to be plugged into the network, how would I enter its MAC address? Will I have to set the maximum to 21 and wait for the switch to update it's sticky list automatically? Or maybe I should set the maximum to 21 and enter the new MAC address manually using the command "switchport port-security mac-address xxx"?

Thank you,

Raymond

Hi Raymond,

1- Yes, the 20 mac-addresses should then be sticky. This means the 20 mac-addresses will be put into the running-config, as if you entered the mac-addresses manually with the "switchport port-security mac-address xxxx.xxxx.xxxx" command.

From this follows, that you have to do a "copy running-config startup-config" to save the learned mac-addresses. When the switch reboots next time, it will already know those mac-addresses.

2- Definitely, you have to set the maximum to 21, and you may enter the mac-address manually or wait for the switch to learn it.

Again, don't forget to copy the running-config to the startup-config, once the new mac-address is learned.

Cheers:

Istvan