Simple question on port-security (CLI)

ednard

When configuring Port Security, let's say I use the following commands:

Switch(config-if)#int fa0/6
Switch(config-if)#switchport port-security mac-address sticky 00E0.F951.80A9

Will the '#switchport port-security' portion of the second command enable port-security, or will I need to add 'Switch(config-if)#switchport port-security' first, and then enter the 'mac-address sticky xxxx.xxxx.xxxx' afterwards?

DCD

Switch(config)#int fa0/6
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky 00E0.F951.80A9
Switch(config-if)#switchport port-security violation ? Then use one of the option if you use this command

ednard

If I fail to enter a violation mode at the end, will it default at 'shutdown' mode?

DCD

Use - Show switchport port-security interface f0/6

dotcom85

the default violation action is to shutdown the port.

ednard

Thank you both. I'm just revising Port Security and want to go over a couple of things I wasn't entirely sure about.

late_collision

Why are you setting sticky and a mac address?

When I configure it in my lab, I receive "Sticky mac is not enabled"

alxx

what hardware and ios late_collision ?

You use sticky with a mac address as it gives a combination of static and dynamic.
sticky - dynamically associates the mac-address to the port. Without the sticky option, the mac-address association goes away after a specified period of time.

Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.
Catalyst 3560 Switch Command Reference, Rel. 12.2(37)SE - Catalyst 3560 Switch Cisco IOS Commands - shutdown through vtp  [Cisco Catalyst 3560 Series Switches] - Cisco Systems
https://supportforums.cisco.com/thread/151147


show port-security
show port-security interface f1/1
show port-security address


almost identical for trunk security as well except for the added vlan number and maximum number of macs(can set) and trunk encapsulation.

late_collision

I'm running IOS 12.1(22) on some older 2950T's.

If I type:
S1(config-if)# switchport port-security mac-address sticky ?

IOS returns:

H.H.H 48 bit mac address
<cr>


However, if I enter the command
S1(config-if)# switchport port-security mac-address sticky 00E0.F951.80A9

I get the "Sticky mac is not enabled" output.

However, I can break it into 2 commands, with no problem.
S1(config-if)# switchport port-security mac-address 00E0.F951.80A9
S1(config-if)# switchport port-security mac-address sticky


Did they just simplify the syntax in the newer IOS? It only caught my eye because I've not seen it like that before.

alxx

what switchport mode do you have set ? makes sure its not set to trunk and you don't have it set as a protected port ?

For 2950
Port Security Configuration Guidelines

Follow these guidelines when configuring port security:
•Port security can only be configured on static access ports.
•A secure port cannot be a dynamic access port or a trunk port.
•A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
•A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
•A secure port cannot be an 802.1X port.
•You cannot configure static secure MAC addresses in the voice VLAN.

Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(11)YJ - Configuring Port-Based Traffic Control * [Cisco Catalyst 2950 LRE Series Switches] - Cisco Systems

give me a couple of hours and I'll check on my 2950's and 3550 when I'm back home later

late_collision

I've set the switchport as an access port, enabled port-security, and set the maximum to 2.

Cool, interested to know your results. I suspect it's a function of a later IOS, but I've been wrong many times before

alxx

what did\o you have set for violation ? I've got restrict set.

worked okay on a 2950sx but get the same as you on a 2950g

but I didn't get it again the second time after setting the maximum before setting the sticky mac


S8#conf t
Enter configuration commands, one per line. End with CNTL/Z.
S8(config)#int fastEthernet 0/1
S8(config-if)#switchport mode access
S8(config-if)#switchport port-security
S8(config-if)#switchport port-security mac-address sticky 0004.edaf.8005
S8(config-if)#switchport port-security maximum 5
S8(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode


S8(config-if)#switchport port-security violation restrict
S8(config-if)#exit
S8(config)#exit
S8#
00:08:50: %SYS-5-CONFIG_I: Configured from console by console
S8#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)

---

Fa0/1 5 2 1 Restrict

---

Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 1024


S8#show port-security int f
S8#show port-security int fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 5
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 0004.edaf.8005
Security Violation Count : 1


S8#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 02-Sep-03 03:33 by antonino
Image text-base: 0x80010000, data-base: 0x805C0000


ROM: Bootstrap program is CALHOUN boot loader


S8 uptime is 9 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"


cisco WS-C2950SX-24 (RC32300) processor (revision G0) with 20710K bytes of memory.
Processor board ID FHK0808Y0A9
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)


32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0F:34:03:2C:00



2950G
S10(config)#int gigabitEthernet 0/1
S10(config-if)#switchport mode access
S10(config-if)#switchport port-security
S10(config-if)#switchport port-security mac-address sticky 0004.edaf.8005
Sticky mac is not enabled.


S10(config-if)#switchport port-security mac-address sticky
S10(config-if)#switchport port-security mac-address 0004.edaf.8005
Total secure mac-addresses on interface GigabitEthernet0/1 has reached maximum limit.


S10(config-if)#switchport port-security maximum 10

yet in sh run

interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 10
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.3403.2c1a

S10(config)#int gigabitEthernet 0/1
S10(config-if)#switchport mode access
S10(config-if)#switch port-sec
S10(config-if)#switch port-security
S10(config-if)#switch port-security maximum 10
S10(config-if)#$-security mac-address sticky 0004.edaf.8005 000f.3403.2c1a
switch port-security mac-address sticky 0004.edaf.8005 000f.3403.2c1a
^
% Invalid input detected at '^' marker.


S10(config-if)#$-security mac-address sticky 0004.edaf.8005
S10(config-if)#switch port-security mac-address sticky 0004.edaf.8005
S10(config-if)#$-security mac-address sticky 000f.3403.2c1a
S10(config-if)#switch port-security viola
S10(config-if)#switch port-security violation restric
S10(config-if)#switch port-security violation restrict
S10(config-if)#exit
S10(config)#exit




interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 10
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.edaf.8005
switchport port-security mac-address sticky 000f.3403.2c1a
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.60 255.255.255.0
no ip route-cache
!
no ip http server

S10#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)

---

Gi0/1 10 2 0 Restrict

---

Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 1024


S10#show port-security int gi 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 10
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address : 000f.3403.2c1a
Security Violation Count : 0


S10#

next up try on 3550

alxx

should set maximum first
them sticky
then sticky with the mac address

"Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address."

see the order in
Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(11)YJ - Configuring Port-Based Traffic Control [Cisco Catalyst 2950 LRE Series Switches] - Cisco

3550 - same as 2950G