Options
Cisco ICND - Chapter 1 Page 26
Daniel333
Member Posts: 2,077 ■■■■■■□□□□
in CCNA & CCENT
Since I have not bought my switches yet, and my simuator sucks for switches I am running into questions already on chapter 1. So sorry in advance, normally I would just try these out myself...
If you have a 2950 switch port that was disabled via an access violation, when the violation mode was for example, Shutdown. How do you bring the port back up, do you manually have to issue a no shut or is there another command for this? Can you automate this?
thanks as always,
If you have a 2950 switch port that was disabled via an access violation, when the violation mode was for example, Shutdown. How do you bring the port back up, do you manually have to issue a no shut or is there another command for this? Can you automate this?
thanks as always,
-Daniel
Comments
-
OptionsDaniel333
Member Posts: 2,077 ■■■■■■□□□□
Thanks!... Anyway to automate that so that it comes back up after X amount of time?
Here 's another bugging me from the same exmaple. If you have a port configured as a sticky interface, but you have a hub plugged into it, with 3 nodes. Will that work, so that only those three nodes can use the inteface or would you manually have to enter their MAC addresses?
*must buy switches and soon... *-Daniel -
Optionsmarkzab
Member Posts: 619
Daniel333 wrote:Thanks!... Anyway to automate that so that it comes back up after X amount of time?
Here 's another bugging me from the same exmaple. If you have a port configured as a sticky interface, but you have a hub plugged into it, with 3 nodes. Will that work, so that only those three nodes can use the inteface or would you manually have to enter their MAC addresses?
*must buy switches and soon... *
What's a sticky interface? Is that slang?"You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done!" - Rocky -
OptionsDaniel333
Member Posts: 2,077 ■■■■■■□□□□
Maybe I am using the wrong verbiage. Related to an address dynamically getting it's secure port access. As in the command "switchport port-security mac-address sticky"
Best online link I can find
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d6a38.html-Daniel -
Optionsmarkzab
Member Posts: 619
I'm not a pro on this...YET.
Doesn't your link you just posted give you the information you need? Not sure exactly what you're asking in regards to the HUB, but I can tell you that the switch won't even know the HUB is there. It will only see the 3 hosts theoretically.
If I'm reading into your thought process from the original question, are you thinking that since all 3 nodes are plugged into the HUD, they will just use a MAC address from the HUB to get through the secure port on the switch?
If that's the case you have to remember that the HUB is on the physical layer (think of it as a signal repeater), not layer 2."You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done!" - Rocky -
OptionsDaniel333
Member Posts: 2,077 ■■■■■■□□□□
Nah, I know hubs are dumb device.
I am wondering if sticky only takes the first frame it receives, say from HOST-1. It will then not take dynamically, HOST-2 and HOST-3. So really sticky is only useful one port one host. Or maybe I am misunderstanding it's purpose.-Daniel -
Optionsmarkzab
Member Posts: 619
Ok, until somebody better than me jumps in to help I'm going to keep trying. It helps me learn as well.
This is from the link you posted...
Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
Sticky secure MAC addresses—These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
Um, your question confuses me a little. From what I'm reading it states that if you enable sticky learning on an interface what will happen is the switch will take all the MAC addresses that have ALREADY been learned dynamically and copy them to the running config.
Yes, no, getting close?
"You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done!" - Rocky -
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
You can specify the number of mac addresses you want the switch to learn on the port, as per your link:
We do this on the 2950's where I work, but for some reason I though the maximum was 6, not 132. Might be different on different switches/IOS.Step 5
switchport port-security maximum value
(Optional) Set the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1.
Optionally you can specify static macs, rather than dynamic. In the case of your example with a hub, I would make sure that only the devices you want to allow are plugged in when you enable sticky ports, and specify that as the maximum number allowed. Keep in mind though that the port will shut down if someone else plugs into the hub, thus disabling the port for everyone, even legitimate users.All things are possible, only believe. -
OptionsCiscopimpenator
Inactive Imported Users Posts: 134
I think you can configure the switch port so it doesn't disable when a foreign MAC address tries to connect to the port.
no switchport port-security violation
The command is
swithport port-security violation [protect | restrict | shutdown ]
Here's what the three arguments for the command accomplish
--The protect keyword causes the packets with unknown source addresses to be dropped when the maximum threshold is reached.
--The restrict keyword increments a violation counter.
--The shutdown keyword, the default, deactivates the port immediately and sends an SNMP trap notification.-Ciscopimpenator -
Optionssprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Ciscopimpenator wrote:I think you can configure the switch port so it doesn't disable when a foreign MAC address tries to connect to the port.
no switchport port-security violation
The command is
swithport port-security violation [protect | restrict | shutdown ]
Here's what the three arguments for the command accomplish
--The protect keyword causes the packets with unknown source addresses to be dropped when the maximum threshold is reached.
--The restrict keyword increments a violation counter.
--The shutdown keyword, the default, deactivates the port immediately and sends an SNMP trap notification.
Yup, very correct. We always have used shutdown. I haven't tried to see how the others work in a production environment, but protect looks promising.All things are possible, only believe.
