Port Security?

UsualSuspect7UsualSuspect7 MemberPosts: 76Member ■■■□□□□□□□
I have a question about an S1 0/0 connected to S2 0/1:

S1: interface S0/0
switchport mode access
switchport port-security
switchport port-security max 1
switchport port-security mac-address sticky
speed auto
duplex auto

S2: interface s0/1
switchport mode access
switchport port-security
switchport port-security max 1
switchport port-security mac-address sticky
speed auto
duplex auto

but let's say S2 has a boat load of connections, what mac address would populate within the cam table?
CISSP, CCENT, CCNA R/S, CCNA Cyber OPs, Security+, CySA+, CSAP+


Comments

  • tunerXtunerX Posts: 447Member ■■■□□□□□□□
    I have a question about an S1 0/0 connected to S2 0/1:

    S1: interface S0/0
    switchport mode access
    switchport port-security
    switchport port-security max 1
    switchport port-security mac-address sticky
    speed auto
    duplex auto

    S2: interface s0/1
    switchport mode access
    switchport port-security
    switchport port-security max 1
    switchport port-security mac-address sticky
    speed auto
    duplex auto

    but let's say S2 has a boat load of connections, what mac address would populate within the cam table?

    The first one learned on the port.
  • UsualSuspect7UsualSuspect7 Member Posts: 76Member ■■■□□□□□□□
    tunerX wrote: »
    The first one learned on the port.

    So it would learn the mac of the S2, but would it allow all other devices connected to S2 to communicated with S1?
    CISSP, CCENT, CCNA R/S, CCNA Cyber OPs, Security+, CySA+, CSAP+


  • tunerXtunerX Posts: 447Member ■■■□□□□□□□
    You set the max to 1. Once there is one mac learned from the first frame received... that's the end of it.

    Any frame received with a different source mac address will cause the port to error/operate based on your settings.
  • UsualSuspect7UsualSuspect7 Member Posts: 76Member ■■■□□□□□□□
    tunerX wrote: »
    You set the max to 1. Once there is one mac learned from the first frame received... that's the end of it.

    Any frame received with a different source mac address will cause the port to error/operate based on your settings.


    So when connected a Switch to another Switch it's not recommended to use port security? or at least not set a max value?
    CISSP, CCENT, CCNA R/S, CCNA Cyber OPs, Security+, CySA+, CSAP+


  • Danielh22185Danielh22185 Posts: 1,195Member
    So when connected a Switch to another Switch it's not recommended to use port security? or at least not set a max value?

    No. The purpose of port security is to control user access. Now there are some mechanisms like root guard that protect the switch from giving up it's root status to another one that might come along that has a better BID but switch-to-switch connections should not have port-security. The idea behind that is because they that trunk link is a trusted network connection that should not be changing often like a user port would.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
  • TechGromitTechGromit A+, N+, GSEC, GCIH, GREM, Ontario, NY Posts: 1,905Member ■■■■■■■■□□
    So when connected a Switch to another Switch it's not recommended to use port security? or at least not set a max value?

    I assume you don't mean with fiber, you mean to connecting one switch to another using Cat. 5 cable, plugging it into one of the ports on the switch. Since you have port security, Switch 1, will learn the Mac address of switch 2 and it will allow it to work perfectly fine, but once you plug other devices into Switch 2, Switch 1 will reject all the traffic from those devices. Switch 2 devices will be restricted to only talking to each other on switch 2. What are you trying to accomplish here? Are you learning/studying or you trying to secure your network?
    Still searching for the corner in a round room.
Sign In or Register to comment.