Options

Switch Port security

Bolton07Bolton07 Member Posts: 87 ■■□□□□□□□□
in CCNA & CCENT
Whats the difference between just typing?

switchport port-security maximum 1
switchport port-security violation shutdown

and adding the sticky command in

switchport port-security mac-address sticky
switchport port-security maximum 2
switchport port-security violation shutdown
· Share on FacebookShare on Twitter

Comments

  • Options
    billyrbillyr Member Posts: 186
    With the first command you are basically telling the switch to error disable the port should it receive more than 1 mac address at a time. for example if it was connected to a hub or subjected to a mac overflow attack.

    With the second its essentially doing the same but also locking the port to 2 specific mac addressess, rather than typing in the mac addressess of the hosts manually you can use the sticky command which will basically grab the mac address of the first 2 hosts that get attached to that port. Commonly you'd see this in a VOIP deployment, one mac for the phone the other for the P.C.
    · Share on FacebookShare on Twitter
  • Options
    Bolton07Bolton07 Member Posts: 87 ■■□□□□□□□□
    sorry, should have said


    Whats the difference between just typing?

    switchport port-security maximum 1
    switchport port-security violation shutdown

    and adding the sticky command in

    switchport port-security mac-address sticky
    switchport port-security maximum 1
    switchport port-security violation shutdown
    · Share on FacebookShare on Twitter
  • Options
    bermovickbermovick Member Posts: 1,135 ■■■■□□□□□□
    The only difference (obviously) being the

     
    switchport port-security mac-address sticky
    command, which will 'grab' the first mac-address is sees, and store it in the running-config. Once it sees that first address, it's the same as having
    [/FONT][FONT=Tahoma]switchport port-security mac-address ####.####.####
[/FONT][FONT=Tahoma]switchport port-security maximum 1[/FONT]
 [FONT=Tahoma]switchport port-security violation shutdown

    So rather than 'only allowing 1 mac address', it only allows that 1 specific mac address.
    Latest Completed: CISSP

    Current goal: Dunno
    · Share on FacebookShare on Twitter
  • Options
    peanutnogginpeanutnoggin Member Posts: 1,096 ■■■□□□□□□□
    bermovick wrote: »
    The only difference (obviously) being the

     
    switchport port-security mac-address sticky
    command, which will 'grab' the first mac-address is sees, and store it in the running-config. Once it sees that first address, it's the same as having
    [/FONT][FONT=Tahoma]switchport port-security mac-address ####.####.####
[/FONT][FONT=Tahoma]switchport port-security maximum 1[/FONT]
 [FONT=Tahoma]switchport port-security violation shutdown

    So rather than 'only allowing 1 mac address', it only allows that 1 specific mac address.

    Just a caveat... Because you're using the "maximum 1" command, that means it will only "sticky" 1 mac. If you were to use "maximum 5" then the switch would sticky the first 5 mac-addresses it sees on that port. HTH.

    -Peanut
    We cannot have a superior democracy with an inferior education system!

    -Mayor Cory Booker
    · Share on FacebookShare on Twitter
Sign In or Register to comment.