Solved: single mac security

suthomas1 · ‎09-27-2011

Hi,

Following commands will be configured for allowing only one single mac (dynamic) to be used on a switch port fa0/1.

switchport port-security

switchport port-security violation shutdown

so , in this case, if user A connects his laptop to fa0/1, he wil be allowed to access the port. Now if user B connects a different laptop to fa0/1, the port should shutdown by itself and generate an err-disable state, if my understanding is correct.

My query is if user B needs to be allowed to access fa0/1 , what should be done. should the port be shut & no shut or do i remove the security configurations and then do a shut / no-shut.

thanks.

KLAUS FRIEDEL · ‎09-27-2011

hi,

normaly you have to configure follow:

switchport port-security

switchport port-security mac-address sticky

(switchport port-security violation shutdown - that is the default)

The switchport learns the MAC and insert a line in the config e.g.:

switchport port-security mac-address sticky 0009.0009.0009

When user B connects his notebook to the port - it is going in err-disabled state. (show int status err)

to connect user B you have to do 3 steps:

no switchport port-security mac-address sticky 0009.0009.0009

shut

no shut

If you want to allow more than one MAC:

switchport port-security maximum [X]

Hope I could help you.

so long

View solution in original post

cadet alain · ‎09-27-2011

Hi,

if you want 2 MAC addresses on a port with port-security enabled then you'll have to change the default of max 1 to

2 with the command switchport port-security maximum 2.

Then you can shut/no shut and user B should be accepted.

One remark the default violation mode is shutdown so no need to configure it.

Regards.

Alain.

Don't forget to rate helpful posts.

KLAUS FRIEDEL · ‎09-27-2011

hi,

normaly you have to configure follow:

switchport port-security

switchport port-security mac-address sticky

(switchport port-security violation shutdown - that is the default)

The switchport learns the MAC and insert a line in the config e.g.:

switchport port-security mac-address sticky 0009.0009.0009

When user B connects his notebook to the port - it is going in err-disabled state. (show int status err)

to connect user B you have to do 3 steps:

no switchport port-security mac-address sticky 0009.0009.0009

shut

no shut

If you want to allow more than one MAC:

switchport port-security maximum [X]

Hope I could help you.

so long

JohnTylerPearce · ‎09-27-2011

Well, when you run Port-Security the default is just to allow one mac address and hte default violation is shutdown. I agree with the second post, that said to just allow a maximum of 2. 'switchport port-security maximum 2'. Although, I dont think you have to shut and no shut the device unless a third host attempts to connect which would then trigger the default violation of shutdown(correct me if I'm wrong). Also, if you don't run the command 'switchport port-security mac-address sticky' the specific mac addresses will not be saved if you have to restart the switch for anything.