daknetworks.com

You are here: Blog Cisco Port Security

Cisco Port Security

Friday, 26 September 2014 14:44

I had to get port-security running on a Cisco Catalyst 2960-S:

Show the port information on a Cisco 2960-S

  • -click START > RUN > CMD
  • -type: telnet
  • -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
  • -type in the password
  • -type: show interfaces (this will give the long version).
  • -type: show interfaces summary (this will give the traffic summary version).
  • -type: show interface description
  • -type: show ip interface (this will give the ports up/down status).
  • -type: show ip interface brief (this will give the ports up/down status at a glance).
  • -type: show interface status (this will give the ports vlan, duplex and speed).
  • -type: show interface status err-disabled (this will give a quick report of the ports in err-disabled mode).
  • -type: show power inline (this will give the port power status).
  • -type: show version (for overall switch info and uptime).

NOTE: 2960-S platform has a 100mbp/s management port identified as fastethernet0.

Show the Port Security on a Cisco 2960-S

  • -type: enable
  • -type: the-sudo-password
  • -type: show port-security (this will give the ports with the security violations).
  • -type: show port-security interface Gi 0/1 (this will give the individual port status as per port security).
  • -type: show port-security address (this will give the port security memorization table).

Configure the Port Security on a Cisco 2960-S

  • -type: config terminal
  • -type: interface Gi 0/19 (to configure that port).
  • -or type: interface range Gi 0/1 - 19 (to configure a range of ports).
  • -type: switchport port-security (to enable port security)
  • -type: switchport port-security maximum 1 (allows only 1 mac address to be assigned to the port).
  • -type: switchport port-security violation shutdown (shutdown the port if there's a violation and requires manual).
  • -type: switchport port-security mac-address sticky (collects the mac address and memorizes it).
  • -type: switchport port-security aging time 0 (set the aging time to 0)
  • -type: switchport port-security aging type absolute (set the mac address type to the only mac address allowed).

Manually Enable the Port after a Violation on Port Security

  • -while still in config mode.
  • -type: shutdown (this shuts the port down).
  • -type: no shutdown (this brings the port back up).

When a security violation happens, the port is shutdown and will not work. It requires manual intervention to make certain there is no malicious activity happening. The commands above will bring the port back up working with the original MAC address.

Clear out the Stick Mac Address to Allow Another Computer/Device

  • -login to switch.
  • -type: enable
  • -type: config terminal
  • -type: interface G 0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no switchport port-security mac-address sticky
  • -type: switchport port-security mac-address sticky
  • -type: no shutdown

This will clear out the mac-address that is remembered and bring the port back up so that it will work with another NEW-MAC address.

However, if the mac-address is still in the address-table, you will not be able to use this mac-address on another port. The mac-address has to be cleared from the original-port it is attached to.

First, find out if the mac-address is attached to a port and make note of the port.

  • -type: show port-security address

Now, shut down the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: shut

Now, clear out the mac-address from the original port:

  • -type: config t
  • -type: int gi0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no shut

Now, verify the mac-address is gone:

  • -type: do show port-security address
  • -type: end

Finally, bring back up the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: no shut

You can see if a port is in violation by:

  • -type: show int status

To recover any port that is in violation:

  • -type: config t
  • -type: errdisable recovery cause psecure-violation

But then you have to wait the Timer-Interval-Seconds before the port is available again.

To see the timeout:

  • -type: show errdisable recovery

You might want to see if any mac-address is in the table:

-type: show mac address-table

Disable Port Security

  • -while in config mode & while in an interface or range of interfaces
  • -type: no switchport port-security

End the Config Session

  • -type: end

To Tail the Logs

  • -type: terminal monitor
  • -type: terminal no monitor

Save the Changes

  • -type: write memory
  • -or type: copy running-config startup-config

Contact Dak Networks

We are not taking on new clients at this time.