Configuring Port Security

Darkash · September 2007

Hey All,

I am doing LAB 6.2.5 on CCNA 3, Step 9-B, well I followed everything to a tee, in Step 7 it tells me to add a static MAC address, then when i get to step nine where i put security on the port, i type this :

ALSwitch(config-if)#int fa0/4
ALSwitch(config-if)#switchport mode access
ALSwitch(config-if)#switchport port-security
Command rejected: FastEthernet0/4 has static addresses.

Well, you see the error there.

Can you guys explain to me why the lab tells me to put a static address in, if the switch wont allow it? or give me more information then what this LAB has given me?

Thanks

Ashley

larkspur · September 2007

Did you build a static mac-address table first?

example:
Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
gigabitethernet0/1

hth!

datchcha · September 2007

larkspur wrote:

Did you build a static mac-address table first?

example:
Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
gigabitethernet0/1

hth!

You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.

larkspur · September 2007

Can you guys explain to me why the lab tells me to put a static address in, if the switch wont allow it? or give me more information then what this LAB has given me?

the lab exercise your on is probably building up to another exercise about port security. The command you tried to excute maybe doen a differrent way or have supporting commands that need to entered first. this really depaends on the version of code your switch is running.

make sense?

mikearama · September 2007

Me thinks there's more than one static mac on the port in question... suggested by the error:
Command rejected: FastEthernet0/4 has static addresses.

More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

Mike

larkspur · September 2007

man if I could only read, I would have seen that.

nice catch.

Darkash · September 2007

larkspur wrote:

Did you build a static mac-address table first?

example:
Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
gigabitethernet0/1

hth!

That is the command i put in step 7.

Darkash · September 2007

mikearama wrote:

Me thinks there's more than one static mac on the port in question... suggested by the error:
Command rejected: FastEthernet0/4 has static addresses.

More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

Mike

Hey mike, I will try this when i get home, but thanks for your advice and knowledge.

Ash

Darkash · September 2007

datchcha wrote:

larkspur wrote:

Did you build a static mac-address table first?

example:
Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
gigabitethernet0/1

hth!

You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.

I tried this command, but it did not do anything.

dtlokee · September 2007

Darkash wrote:

datchcha wrote:

larkspur wrote:

Did you build a static mac-address table first?

example:
Switch(config)# mac address-table static xxxx.xxxx.xxxx. vlan x interface
gigabitethernet0/1

hth!

You could also use the: switchport port-security mac-address sticky command, which will learn the MAC address of the device when the first frame is set to the switch.

I tried this command, but it did not do anything.

When a device connected to the interface sends a frame the switch will then convert the command into a "switch port-security mac-address xxxx.xxxx.xxxx" in the running config.

Darkash · September 2007

Darkash wrote:

mikearama wrote:

Me thinks there's more than one static mac on the port in question... suggested by the error:
Command rejected: FastEthernet0/4 has static addresses.

More than one static address would cause the command to fail, since the default for the command "switchport port-security" is a max of 1 mac.

To test if this is so, either try "switchport port-security maximum 2" or more, or do a "sh port-security int f0/4" to see what mac's are configured... I'd put even money on there being two (or more).

Mike

Hey mike, I will try this when i get home, but thanks for your advice and knowledge.

Ash

I checked the commands, but none of them helped. I don't think you can set a stactic mac on the interface and then set the port-security. :S, I did it with dynamic macs and it worked. don't know whats going on there, what do you guys think?

larkspur · September 2007

post the config and let us take a look.

Darkash · September 2007

larkspur wrote:

post the config and let us take a look.

Okay man, ill go back to that lab tomorrow night, and paste it up.

Darkash · September 2007

Darkash wrote:

larkspur wrote:

post the config and let us take a look.

Okay man, ill go back to that lab tomorrow night, and paste it up.

Here it is

Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname ALSwitch
ALSwitch(config)#line console 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#exit
ALSwitch(config)#enable password cisco
ALSwitch(config)#enable secret cisco
ALSwitch(config)#int VLAN 1
ALSwitch(config-if)#ip address 192.168.1.2 255.255.255.0
ALSwitch(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
ALSwitch(config)#ip default-gateway 192.168.1.1
ALSwitch(config)#mac-address-table static 0060.700e.917c VLAN 1 int fa0/4
ALSwitch(config)#int fa0/4
ALSwitch(config-if)#switchport mode access
ALSwitch(config-if)#switchport port-security
Command rejected: FastEthernet0/4 has static addresses

That is where it errors out....

liven · September 2007

Is port security on the CCNA exam?

mikearama · September 2007

liven wrote:

Is port security on the CCNA exam?

Nope... but it is required study for the BCMSN exam.

Darkash... might as well remove the static mac, just to make sure port security works at all.
ALSwitch(config)#no mac-address-table static 0060.700e.917c VLAN 1 int fa0/4

Then try your port-sec commands. Maybe then try adding back in the static mac.

And perhaps post your "sh run"... that would help us see what you've got in there already.

dtlokee · September 2007

Port security is in the official courseware so it could be on the CCNA exam.

Take out the static mac address then add the static entries back using port security (switchport port-security mac-address)

mikearama · September 2007

I didn't think it was, dt... but sure enough, the 802 has added port security in the exam description. It wasn't there for the 801.

Looks like new CCNA's better know it, after all.

Configuring Port Security

Comments