Configuring Port Security

DarkashDarkash Member Posts: 7 ■□□□□□□□□□
in CCNA & CCENT
Hey All,

I am doing LAB 6.2.5 on CCNA 3, Step 9-B, well I followed everything to a tee, in Step 7 it tells me to add a static MAC address, then when i get to step nine where i put security on the port, i type this :

ALSwitch(config-if)#int fa0/4
ALSwitch(config-if)#switchport mode access
ALSwitch(config-if)#switchport port-security
Command rejected: FastEthernet0/4 has static addresses.

Well, you see the error there.

Can you guys explain to me why the lab tells me to put a static address in, if the switch wont allow it? or give me more information then what this LAB has given me?

Thanks

Ashley
· Share on FacebookShare on Twitter

Comments

  • larkspurlarkspur Member Posts: 235
    Did you build a static mac-address table first?


    example:
    Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
    gigabitethernet0/1

    hth!
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • datchchadatchcha Member Posts: 265
    larkspur wrote:
    Did you build a static mac-address table first?


    example:
    Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
    gigabitethernet0/1

    hth!

    You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.
    Arrakis
    · Share on FacebookShare on Twitter
  • larkspurlarkspur Member Posts: 235
    Can you guys explain to me why the lab tells me to put a static address in, if the switch wont allow it? or give me more information then what this LAB has given me?

    the lab exercise your on is probably building up to another exercise about port security. The command you tried to excute maybe doen a differrent way or have supporting commands that need to entered first. this really depaends on the version of code your switch is running.

    make sense?
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • mikearamamikearama Member Posts: 749
    Me thinks there's more than one static mac on the port in question... suggested by the error:
    Command rejected: FastEthernet0/4 has static addresses.

    More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

    To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • larkspurlarkspur Member Posts: 235
    man if I could only read, I would have seen that.

    nice catch.
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    larkspur wrote:
    Did you build a static mac-address table first?


    example:
    Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
    gigabitethernet0/1

    hth!

    That is the command i put in step 7.
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    mikearama wrote:
    Me thinks there's more than one static mac on the port in question... suggested by the error:
    Command rejected: FastEthernet0/4 has static addresses.

    More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

    To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

    Mike

    Hey mike, I will try this when i get home, but thanks for your advice and knowledge.

    Ash
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    datchcha wrote:
    larkspur wrote:
    Did you build a static mac-address table first?


    example:
    Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
    gigabitethernet0/1

    hth!

    You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.

    I tried this command, but it did not do anything.
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Darkash wrote:
    datchcha wrote:
    larkspur wrote:
    Did you build a static mac-address table first?


    example:
    Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
    gigabitethernet0/1

    hth!

    You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.

    I tried this command, but it did not do anything.

    When a device connected to the interface sends a frame the switch will then convert the command into a "switch port-security mac-address xxxx.xxxx.xxxx" in the running config.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    Darkash wrote:
    mikearama wrote:
    Me thinks there's more than one static mac on the port in question... suggested by the error:
    Command rejected: FastEthernet0/4 has static addresses.

    More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

    To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

    Mike

    Hey mike, I will try this when i get home, but thanks for your advice and knowledge.

    Ash

    I checked the commands, but none of them helped. I don't think you can set a stactic mac on the interface and then set the port-security. :S, I did it with dynamic macs and it worked. don't know whats going on there, what do you guys think?
    · Share on FacebookShare on Twitter
  • larkspurlarkspur Member Posts: 235
    post the config and let us take a look.
    just trying to keep it all in perspective!
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    larkspur wrote:
    post the config and let us take a look.

    Okay man, ill go back to that lab tomorrow night, and paste it up.
    · Share on FacebookShare on Twitter
  • DarkashDarkash Member Posts: 7 ■□□□□□□□□□
    Darkash wrote:
    larkspur wrote:
    post the config and let us take a look.

    Okay man, ill go back to that lab tomorrow night, and paste it up.

    Here it is

    Switch>en
    Switch#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Switch(config)#hostname ALSwitch
    ALSwitch(config)#line console 0
    ALSwitch(config-line)#password cisco
    ALSwitch(config-line)#login
    ALSwitch(config-line)#line vty 0 15
    ALSwitch(config-line)#password cisco
    ALSwitch(config-line)#login
    ALSwitch(config-line)#exit
    ALSwitch(config)#enable password cisco
    ALSwitch(config)#enable secret cisco
    ALSwitch(config)#int VLAN 1
    ALSwitch(config-if)#ip address 192.168.1.2 255.255.255.0
    ALSwitch(config-if)#no shutdown
    %LINK-5-CHANGED: Interface Vlan1, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
    ALSwitch(config)#ip default-gateway 192.168.1.1
    ALSwitch(config)#mac-address-table static 0060.700e.917c VLAN 1 int fa0/4
    ALSwitch(config)#int fa0/4
    ALSwitch(config-if)#switchport mode access
    ALSwitch(config-if)#switchport port-security
    Command rejected: FastEthernet0/4 has static addresses

    That is where it errors out....
    · Share on FacebookShare on Twitter
  • livenliven Member Posts: 918
    Is port security on the CCNA exam?
    encrypt the encryption, never mind my brain hurts.
    · Share on FacebookShare on Twitter
  • mikearamamikearama Member Posts: 749
    liven wrote:
    Is port security on the CCNA exam?

    Nope... but it is required study for the BCMSN exam.

    Darkash... might as well remove the static mac, just to make sure port security works at all.
    ALSwitch(config)#no mac-address-table static 0060.700e.917c VLAN 1 int fa0/4

    Then try your port-sec commands. Maybe then try adding back in the static mac.

    And perhaps post your "sh run"... that would help us see what you've got in there already.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Port security is in the official courseware so it could be on the CCNA exam.

    Take out the static mac address then add the static entries back using port security (switchport port-security mac-address)
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • mikearamamikearama Member Posts: 749
    I didn't think it was, dt... but sure enough, the 802 has added port security in the exam description. It wasn't there for the 801.

    Looks like new CCNA's better know it, after all.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.