Port Security help (ip phone + pc)

blackberryblackberry Member Posts: 59 ■■□□□□□□□□
in CCNA Collaboration
I have port security enabled with the following command
switchport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security aging time 1
switchport port-security aging type inactivity


Every time i switch the ethernet cable to one device to another it does not shut down but just pick up the new mac address. When i enable the sticky command, then the port shuts down, but I feel that the sticky command will cause too much over head when a user moves.

here is what the port security int looks like

SwitchA#show port-security int fa 1/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1232.b123.baca:1
Security Violation Count : 0


Ideally, I want the port to shut down without the sticky command and clear the mac address during an inactivity period that I set. any ideas?
· Share on FacebookShare on Twitter

Comments

  • MstavridisMstavridis Member Posts: 107
    I am confused you are allowing 2 devices as of right now, so are you attaching a third device whe you say "Every time i switch the ethernet cable to one device to another it does not shut down" ?
    · Share on FacebookShare on Twitter
  • blackberryblackberry Member Posts: 59 ■■□□□□□□□□
    I am attaching a third device to test the shutdown violation
    · Share on FacebookShare on Twitter
  • higherhohigherho Member Posts: 882
    You need to enable the sticky command for it to work properly. Even if you have max 2 enabled without the mac address sticky command the switch wont know what macs it need to keep bound to that port and their fore wont shutdown the port because it still thinks you are allowing any through.

    EDIT

    I read Jason's statement and I thought I stated the same thing but I did it poorly. He is correct, any two macs can be on it at the same time thats it but mac sticky will only allow whatever first two macs get on there only (or manually entered).
    · Share on FacebookShare on Twitter
  • Jason0352Jason0352 Member Posts: 59 ■■□□□□□□□□
    The way you have it set up now is any 2 MACs can be connected to the port - but if you introduce more than 2 MACs on that port it shutsdown. Sticky or manually adding the MAC address to the port is the only way it's going to track MACs and shutdown the port if it senses different MACs. It really isn't too bad in terms of overhead if you have syslog events setup to email you whenever port-security violations are triggered.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.