7 Replies Latest reply: Feb 9, 2012 1:18 PM by cadetalain RSS

    about security switch more..

    Humberto Perez

      Hi everybody


      came across the following question studying for the  ICND2.


      What is a valid reason for a switch to deny port access to new devices when port security is enabled.


      1.The denied MAC address have already been learned or configured on another secure interface in the same VLAN.
      2.The denied MAC address are statically configured on the port.
      3. The minimum MAC threshold has been reached.
      4. The absolute aging time for denied MAC address have expired.


      according to the material the correct answer is 2

      it means for example this?

      switch(configf)#interface fastethernet 0/0

      switch(config-if)#switchport mode acces

      switch(config-if)#switchport port-security

      switch(config-if)#switchport port-security maximun 1

      switch(config-if)#switchport port-security violation shutdown

      switch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx //?


      2) Another question

      what is the recommendation for ports that we will not use in a switch and the vlan1?


      we should change the native vlan to another one?

      we should shutdown the port that we don't use or add to a parking vlan?


      thanks in advance to all


        • 1. Re: about security switch more..

          Hello, yes take the Vlan 1 out and do a shutdown on that vlan so it can not be used.

          for the question about port security it is due to a Mac address already learned on that port. Dont let all the other items **** you into thinking something else. If it is shut down then it was in violation of the security setup on that port. that MAC can be assigned to many different ports but when a new MAC address is put on it, the port will shut down if that is hot it is set up.

          Also for the unused port, do a shutdown on them. I been pulling out unsed switches and shutting down the ports that are not used, but the best thing i did was change the password so only myself and the IT manager knows it. this makes me feel a lot safer about the network now.

          as for adding the mac address into the port security i usually wont do that, to much work, just plug the machine into the switch and let the switch learn the MAC address to set it self up to shut down if it goes into a violation.

          I dont like to park them, then someone might be able to do something to the switch, just do a shutdown to prevent anyone from plugging anything into the switch and getting a good port.

          Why make it any eaiser on them at all.

          • 2. Re: about security switch more..


            I have googling for answer for 1st question and i founded at Todd Lamle site-forum this:


            " ...

            The answer is "A"


            When you are using port security, this is local to the  switch.
            If that MAC address is learned on another port "on the same switch",  it will not be allowed in another port on that same  switch.




            Todd Lammle

            .... "


            I'm confused ...

            • 3. Re: about security switch more..

              For the first question,

              f0/2-- host A 0001.96E0.BABA

              f0/3-- host B 0003.E472.A209


              I enabled port-security on f0/2 and f0/3, violation shutdown

              set "switchport port-security mac-address 0001.96E0.BABA" on f0/3... nothing happened even those host A is connected to f0/2 and link is up


              then I tried "switchport port-security mac-address 0001.96E0.BABA" on f0/3 and got an error

              "Found duplicate mac-address 0001.96e0.baba."



              So the same mac address cannot be assigned to different ports for port-security.

              And plugging in a device with mac address set on a different port doesn't hurt anything?


              Cisco 2960-24TT

              • 4. Re: about security switch more..



                let's rule out the incorrect answers:


                3. The minimum MAC threshold has been reached.


                There is no minimum threshold BUT a maximum number of secured addresses


                4. The absolute aging time for denied MAC address have expired.


                By default aging time is 0 which means never age out but let's suppose we have modified this then when the secured address is aged out and there is a frame with this source address coming on the port then it will be again inserted in the TCAM as secured.


                2.The denied MAC address are statically configured on the port.


                if an address is statically configured as secure  then it won't be denied but accepted


                So that leaves us answer 1 as correct because if you have a host with MAC A on port f0/1 marked as secured then when moving this host to another port you'll have a MAC move violation





                • 5. Re: about security switch more..

                  Thank you Alain.

                  I find this in Cisco documents.


                  After a secure MAC address is configured or learned on one secure port, the sequence of

                  events that occurs when port security detects that secure MAC address on a different port in

                  the same VLAN is known as a MAC move violation.



                  I guess you are right.

                  • 6. Re: about security switch more..

                    Great stuff guys!


                    Multilayer switches still have a CAM table, and any L2 "switchport" will use this table to forward L2 traffic within that VLAN.


                    TCAM is used to forward L3 traffic, i.e., "no switchport" ports or between SVIs for inter-VLAN routing.

                    • 7. Re: about security switch more..



                      thanks for pointing the difference between CAM and TCAM.