Port security - Two things that actually triggers it?

Lets say you have port security configured on switch a for host a's mac address with a violation mode of restrict. Lets say you plug switch b into switch a and plug host a in to switch b. This would trigger port security and drop packets on switch a right? It would seem that way from what I tried in packet tracer. But is the cause of this due to the fact that switch b's mac address is in the mac address table instead of host a's? What I planned to have happen was that host a would ping a router which was on another port on switch a. Even though port security was configured to only accept that mac address those packets got dropped too. What i suspect was happening was that maybe STP was trying to make convergence happen with the new switch (b) and switch a added switch b's mac address to the table triggering the error. Is this why host a's packets got dropped too? The link between switch a and be was ofcourse a trunk and I don't usually configure port security on the trunks but I just wanted to see what happened.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

pham0329

Switches uses a multicast address for protocols like CDP, VTP, DTP, routing protocols, etc, which would have a source mac of the switch originating the message, and a destination address of the multicast address. For CDP/VTP, it's something like 0100.0ccc.cccc so that's probably what's causing the port to go down.

Do a show port-security interface to see the offending mac address.

CodeBlox

Yeah, it had switch b's address as the last source address so I figured that was conflicting. In this case, it would seem impossible to use port security on a trunk link to allow access by a single device. I figured it was a protocol on switch b causing the problem.

pham0329

CodeBlox wrote: »

Yeah, it had switch b's address as the last source address so I figured that was conflicting. In this case, it would seem impossible to use port security on a trunk link to allow access by a single device. I figured it was a protocol on switch b causing the problem.

It's no different than connecting a host to a phone, then the phone to the switch. You wouldn't restrict that port to 1 Mac address either, would you?

apr911

Typically, you wouldnt configure port-security on an upstream switch like this. Port-security should be configured at the port nearest to the end-point or host in this case.

By enabling port-security on a port that connects to another switch, you would need to configure it for all of the devices that connect to the downstream switch. In the case of a 48 port downstream switch, that would be a minimum of 49 different MAC-Addresses that need to be allowed and thats in the simplest form of 1 host per port on the downstream switch. If you are configured in a switch-phone-host configuration, you just increased the mac-addresses to 97 and still more if you decide to allow multiple macs per port either for VMs or small hubs. If you throw a third switch in there connected via the second you just doubled your mac-addresses.

But ultimately, this only serves to restrict the number of hosts that can connect to that switch, not the number of hosts that can connect to the port. The idea behind port security is to restrict rogue devices but by allowing 97 mac-addresses you could very easily connect up a rogue device before legitimate devices are connected in. The rogue device could then operate with impunity.

Whats more, is what happens when you trip that port security on the upstream switch? Now instead of knocking out your network for 1 port and maybe a few hosts, you have knocked out networking for all hosts connected to that switch and any switch further downstream.

It is easier to manage port-security closer to the host. You still need to configure port security for however many mac-addresses (-1 for each downstream switch) but you dont risk knocking large numbers of clients offline and port-security will function as intended, preventing rogue hosts from being connected to the network.

pham0329

I think the OP knows that and he was just curious as to what would happen when he configure port-security on a trunk. Also, just wanted to point out

If you are configured in a switch-phone-host configuration, you just increased the mac-addresses to 97 and still more if you decide to allow multiple macs per port either for VMs or small hubs.

I don't know about other IP Phones, but with Cisco phones, I believe if you were to configure port-security for a port connected to a Cisco phone, you would configure it to allow for at least 3 mac. 2 for the phone, 1 for the PC. The reason for this is sometimes the phone will communicate using the data vlan, and others, through the voice vlan, and thus, it will have 2 entries on the port.