Tuesday, September 28, 2021 2:44 PM
- switchport port - predefine any allowed source MAC addresses for this interface. - security mac-address mac-address
(Optional)- tell the switch to “sticky learn” dynamically learned MAC addresses.
(Optional)- switchport port-security mac-address stickyswitchport port - enables port security, with all defaults - securitydefines a specific source MAC address. With the default maximum source address setting of
1switchport port - - security mac-address 0200.1111.1111default violation action disable the interface.- Port security does not save the configuration of the sticky addresses - use the copy running-config startup-config command if desired.
make sure to configure the maximum MAC address to at least two (one for the phone,
or for a PC connected to the phone)- voice ports-
- the port security configuration should be placed on the portthan the individual physical interfaces in the channel. -channel interface, rather
- EtherChannels
voice ports and EtherChannelsVerifying Port Security
- provides the most insight to how port security operates
- lists the configuration settings for port security on an interface
-
- Port Security: EnabledPort Status: Secure-shutdown
-
- Violation mode: shutdownMaximum MAC Addresses : 1
- Last source Address:VLAN: 0013:197b:5004 1
-
- includes information about any security violations
Show port-security interface-
- Port Security: EnabledPort Status: Secure-shutdown
-
- Violation Mode: ShutdownMaximum MAC Addresses: 1
- Sticky MAC Addresses: 1
- Last Source Address: Vlan 0013:197b:5004 1
Show port-security interface fastEthernet 0/2secure- the interface has been disabled because of port security-shutdown statePort Security MAC Addresses
No longer listed as dynamic entries- Do not show up in the results from show mac address-table dynamic EXEC command.- #
you need to use one of these options to see the MAC table entries associated with ports
using port security:- #
- Port security ports
show mac address - Lists MAC addresses associated with ports that use port security - table secure :Lists MAC addresses associated with ports that use port security, as well as any
other statically defined MAC addressesshow mac address - - table static:show mac address-table secure interface F0/2(All three options cause the switch to discard the offending frame)- Discard frame
Protect-
- Discard frameSend log and snmp messages
- increment violation counter
Restrict- Discard frame
-
- Send log and snmp messagesincrement violation counter
- Puts interface into err-disabled state, discarding all traffic
ShutdownPort Security Violation Modes
Shutdown Mode
- interface must be shut down with the shutdown command and then enabled with the no shutdown command.
- recover from an err-disabled state
- automatically recover from the err-disabled state:
- automatic recovery for interfaces in an err-disabled state caused by port security
errdisable recovery cause psecure-violationerrdisable recovery interval - set the time to wait before recovering the interface secondslists the current port-security status (secure-shutdown) as well as the configured mode
(shutdown)- #
last line of output lists the number of violations that caused the interface to fail to an err-
disabled state- #
show port-security interfacedisabled statesecond-to-last line identifies the MAC address and VLAN of the device that caused the
violation.- #
- notes the number of times the interface has been moved to the errshutdown) state. -disabled (secure-
- while errafter shutdown/no shutdown, another violation that causes the interface to fail to an err-disabled, many frames can arrive, but the counter remains at 1. -
disabled state will cause the counter to increment to 2.
- #
violations counterProtect and Restrict Modes
still discard offending traffic, but the interface remains in a connected (up/up) state and in a port
security state of secure-up.
- #
- port continues to forward good traffic but discards offending traffic.
-
- discard the frame.does not change the port to an err-disabled state
- does not generate messages
- does not even increment the violations counter
-
protect