Simple question on port-security (CLI)

ednardednard ■■□□□□□□□□ Posts: 75Member ■■□□□□□□□□
When configuring Port Security, let's say I use the following commands:
Switch(config-if)#int fa0/6
Switch(config-if)#switchport port-security mac-address sticky 00E0.F951.80A9

Will the '#switchport port-security' portion of the second command enable port-security, or will I need to add 'Switch(config-if)#switchport port-security' first, and then enter the 'mac-address sticky xxxx.xxxx.xxxx' afterwards?

Comments

  • DCDDCD Posts: 449Member
    Switch(config)#int fa0/6
    Switch(config-if)#switchport port-security
    Switch(config-if)#switchport port-security mac-address sticky 00E0.F951.80A9
    Switch(config-if)#switchport port-security violation ? Then use one of the option if you use this command
  • ednardednard ■■□□□□□□□□ Posts: 75Member ■■□□□□□□□□
    If I fail to enter a violation mode at the end, will it default at 'shutdown' mode?
  • DCDDCD Posts: 449Member
    Use - Show switchport port-security interface f0/6
  • dotcom85dotcom85 ■□□□□□□□□□ Posts: 14Member ■□□□□□□□□□
    the default violation action is to shutdown the port.
  • ednardednard ■■□□□□□□□□ Posts: 75Member ■■□□□□□□□□
    Thank you both. I'm just revising Port Security and want to go over a couple of things I wasn't entirely sure about.
  • late_collisionlate_collision Posts: 146Member
    Why are you setting sticky and a mac address?

    When I configure it in my lab, I receive "Sticky mac is not enabled"
  • alxxalxx Posts: 755Member
    what hardware and ios late_collision ?

    You use sticky with a mac address as it gives a combination of static and dynamic.
    sticky - dynamically associates the mac-address to the port. Without the sticky option, the mac-address association goes away after a specified period of time.

    Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.
    Catalyst 3560 Switch Command Reference, Rel. 12.2(37)SE - Catalyst 3560 Switch Cisco IOS Commands - shutdown through vtp  [Cisco Catalyst 3560 Series Switches] - Cisco Systems
    https://supportforums.cisco.com/thread/151147


    show port-security
    show port-security interface f1/1
    show port-security address


    almost identical for trunk security as well except for the added vlan number and maximum number of macs(can set) and trunk encapsulation.
    Goals CCNA by dec 2013, CCNP by end of 2014
  • late_collisionlate_collision Posts: 146Member
    I'm running IOS 12.1(22) on some older 2950T's.

    If I type:
    S1(config-if)# switchport port-security mac-address sticky ?

    IOS returns:

    H.H.H 48 bit mac address
    <cr>


    However, if I enter the command
    S1(config-if)# switchport port-security mac-address sticky 00E0.F951.80A9

    I get the "Sticky mac is not enabled" output.

    However, I can break it into 2 commands, with no problem.
    S1(config-if)# switchport port-security mac-address 00E0.F951.80A9
    S1(config-if)# switchport port-security mac-address sticky


    Did they just simplify the syntax in the newer IOS? It only caught my eye because I've not seen it like that before.
  • alxxalxx Posts: 755Member
    what switchport mode do you have set ? makes sure its not set to trunk and you don't have it set as a protected port ?

    For 2950
    Port Security Configuration Guidelines

    Follow these guidelines when configuring port security:
    blank.gifPort security can only be configured on static access ports.
    blank.gifA secure port cannot be a dynamic access port or a trunk port.
    blank.gifA secure port cannot be a destination port for Switch Port Analyzer (SPAN).
    blank.gifA secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
    blank.gifA secure port cannot be an 802.1X port.
    blank.gifYou cannot configure static secure MAC addresses in the voice VLAN.

    Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(11)YJ - Configuring Port-Based Traffic Control * [Cisco Catalyst 2950 LRE Series Switches] - Cisco Systems

    give me a couple of hours and I'll check on my 2950's and 3550 when I'm back home later
    Goals CCNA by dec 2013, CCNP by end of 2014
  • late_collisionlate_collision Posts: 146Member
    I've set the switchport as an access port, enabled port-security, and set the maximum to 2.

    Cool, interested to know your results. I suspect it's a function of a later IOS, but I've been wrong many times before :)
  • alxxalxx Posts: 755Member
    what did\o you have set for violation ? I've got restrict set.

    worked okay on a 2950sx but get the same as you on a 2950g

    but I didn't get it again the second time after setting the maximum before setting the sticky mac


    S8#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    S8(config)#int fastEthernet 0/1
    S8(config-if)#switchport mode access
    S8(config-if)#switchport port-security
    S8(config-if)#switchport port-security mac-address sticky 0004.edaf.8005
    S8(config-if)#switchport port-security maximum 5
    S8(config-if)#switchport port-security violation ?
    protect Security violation protect mode
    restrict Security violation restrict mode
    shutdown Security violation shutdown mode


    S8(config-if)#switchport port-security violation restrict
    S8(config-if)#exit
    S8(config)#exit
    S8#
    00:08:50: %SYS-5-CONFIG_I: Configured from console by console
    S8#show port-security
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
    (Count) (Count) (Count)
    Fa0/1 5 2 1 Restrict
    Total Addresses in System (excluding one mac per port) : 1
    Max Addresses limit in System (excluding one mac per port) : 1024


    S8#show port-security int f
    S8#show port-security int fastEthernet 0/1
    Port Security : Enabled
    Port Status : Secure-shutdown
    Violation Mode : Restrict
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 5
    Total MAC Addresses : 2
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 2
    Last Source Address : 0004.edaf.8005
    Security Violation Count : 1


    S8#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Tue 02-Sep-03 03:33 by antonino
    Image text-base: 0x80010000, data-base: 0x805C0000


    ROM: Bootstrap program is CALHOUN boot loader


    S8 uptime is 9 minutes
    System returned to ROM by power-on
    System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"


    cisco WS-C2950SX-24 (RC32300) processor (revision G0) with 20710K bytes of memory.
    Processor board ID FHK0808Y0A9
    Last reset from system-reset
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)
    2 Gigabit Ethernet/IEEE 802.3 interface(s)


    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:0F:34:03:2C:00



    2950G
    S10(config)#int gigabitEthernet 0/1
    S10(config-if)#switchport mode access
    S10(config-if)#switchport port-security
    S10(config-if)#switchport port-security mac-address sticky 0004.edaf.8005
    Sticky mac is not enabled.


    S10(config-if)#switchport port-security mac-address sticky
    S10(config-if)#switchport port-security mac-address 0004.edaf.8005
    Total secure mac-addresses on interface GigabitEthernet0/1 has reached maximum limit.


    S10(config-if)#switchport port-security maximum 10

    yet in sh run

    interface GigabitEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security maximum 10
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 000f.3403.2c1a

    S10(config)#int gigabitEthernet 0/1
    S10(config-if)#switchport mode access
    S10(config-if)#switch port-sec
    S10(config-if)#switch port-security
    S10(config-if)#switch port-security maximum 10
    S10(config-if)#$-security mac-address sticky 0004.edaf.8005 000f.3403.2c1a
    switch port-security mac-address sticky 0004.edaf.8005 000f.3403.2c1a
    ^
    % Invalid input detected at '^' marker.


    S10(config-if)#$-security mac-address sticky 0004.edaf.8005
    S10(config-if)#switch port-security mac-address sticky 0004.edaf.8005
    S10(config-if)#$-security mac-address sticky 000f.3403.2c1a
    S10(config-if)#switch port-security viola
    S10(config-if)#switch port-security violation restric
    S10(config-if)#switch port-security violation restrict
    S10(config-if)#exit
    S10(config)#exit




    interface GigabitEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security maximum 10
    switchport port-security violation restrict
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 0004.edaf.8005
    switchport port-security mac-address sticky 000f.3403.2c1a
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.60 255.255.255.0
    no ip route-cache
    !
    no ip http server

    S10#show port-security
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
    (Count) (Count) (Count)
    Gi0/1 10 2 0 Restrict
    Total Addresses in System (excluding one mac per port) : 1
    Max Addresses limit in System (excluding one mac per port) : 1024


    S10#show port-security int gi 0/1
    Port Security : Enabled
    Port Status : Secure-up
    Violation Mode : Restrict
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 10
    Total MAC Addresses : 2
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 2
    Last Source Address : 000f.3403.2c1a
    Security Violation Count : 0


    S10#

    next up try on 3550
    Goals CCNA by dec 2013, CCNP by end of 2014
  • alxxalxx Posts: 755Member
    should set maximum first
    them sticky
    then sticky with the mac address

    "Note blank.gifIf you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address."

    see the order in
    Catalyst 2950 Desktop Switch Software Configuration Guide, 12.1(11)YJ - Configuring Port-Based Traffic Control [Cisco Catalyst 2950 LRE Series Switches] - Cisco

    3550 - same as 2950G
    Goals CCNA by dec 2013, CCNP by end of 2014
Sign In or Register to comment.