Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
10
Helpful
2
Replies

switch port security

Go to solution
silviu1983
Level 1
Level 1

‎09-25-2019 01:13 PM

Hy guys,

 

I have some questions regarding to port security on my 2690 catalyst

 

so i enable mode acces on a port 

i set the following options

switchport port-security mac-address sticky

switchport port-security maximum 1

switchport port-security violation shutdown

 

which is great , the first address that comes up on that port will be the only one permited. 

so my questions are

1. is the mac stored in run or start?

2.how long is the mac address stored in config file? is it the same as in arp table 4 hours?

3.what happens if i change the mac address (device) on that port how do i change the sticky address?

4.what happens if for example i reboot my switch? is the mac address lost. for example if someone else who knows cisco might reboot the switch so that he can plug another pc . is that possible and allowed?

5.what are some real world examples for the port-security options . i mean... is it good practice to allow 1 ,2 , or all?

 

thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎09-25-2019 01:40 PM - edited ‎09-25-2019 01:48 PM

Hello

@silviu1983 wrote:

Hy guys,

 

I have some questions regarding to port security on my 2690 catalyst

 

so i enable mode acces on a port 

i set the following options

switchport port-security mac-address sticky

switchport port-security maximum 1

switchport port-security violation shutdown

 

which is great , the first address that comes up on that port will be the only one permited. 

so my questions are

1. is the mac stored in run or start? - only in running-config UNLESS you save that running-config before a reload

2.how long is the mac address stored in config file? is it the same as in arp table 4 hours? - arp or cam table?
they will be in the cam table but no they wont expire as far i I understand it because they are stored in the running config after being converted from dynamic learned to sticky statics addresses.

3.what happens if i change the mac address (device) on that port how do i change the sticky address? - it will relearn the new address that is unless you have a maximum mac-limit set to 1

4.what happens if for example i reboot my switch? is the mac address lost. for example if someone else who knows cisco might reboot the switch so that he can plug another pc . is that possible and allowed? -answer is in question 1

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎09-25-2019 01:57 PM

Hi @silviu1983,

 

I think this guide answers your questions:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

About question 5, I have read that it is advisable to leave a maximum of 2, in case in the future an IP phone and a PC are connected to the same port.

 

Regards 

View solution in original post

2 Replies 2

Go to solution
paul driver
VIP
VIP

‎09-25-2019 01:40 PM - edited ‎09-25-2019 01:48 PM

Hello

@silviu1983 wrote:

Hy guys,

 

I have some questions regarding to port security on my 2690 catalyst

 

so i enable mode acces on a port 

i set the following options

switchport port-security mac-address sticky

switchport port-security maximum 1

switchport port-security violation shutdown

 

which is great , the first address that comes up on that port will be the only one permited. 

so my questions are

1. is the mac stored in run or start? - only in running-config UNLESS you save that running-config before a reload

2.how long is the mac address stored in config file? is it the same as in arp table 4 hours? - arp or cam table?
they will be in the cam table but no they wont expire as far i I understand it because they are stored in the running config after being converted from dynamic learned to sticky statics addresses.

3.what happens if i change the mac address (device) on that port how do i change the sticky address? - it will relearn the new address that is unless you have a maximum mac-limit set to 1

4.what happens if for example i reboot my switch? is the mac address lost. for example if someone else who knows cisco might reboot the switch so that he can plug another pc . is that possible and allowed? -answer is in question 1

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎09-25-2019 01:57 PM

Hi @silviu1983,

 

I think this guide answers your questions:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

About question 5, I have read that it is advisable to leave a maximum of 2, in case in the future an IP phone and a PC are connected to the same port.

 

Regards 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card