This topic is to discuss the following lesson:
Hi, your lessons are very interesting. Thank’s.
Hi Rene, thanks for the lessons. Very interesting and informative - keep up the good work
Instead of reading 1253 pdf’s from Cisco in 10min everything was understood with simple and interesting examples. Gongratulations René, here it is a very useful lesson.
Thanks Luís! Glad to hear it was useful to you.
Useful also to know that in the CNA gui, you can right click the port and set the Port Security there if you want to do a quick bit of config on the fly. Thanks
Thanks - nice tutorial and I just applied it to one port on our switch!
wonderfull tutorial, U’r my angel switch, but can Catalyst 2960 Series work this tutorial?
Sure, even the 2950 will work.
Hi Rene, I have a strange problem related to your post. We have a unmananged switch connected to a managed switch port. That port is configured as follows:
description Conference Room switchport access vlan 43 switchport mode access switchport port-security maximum 16 switchport port-security authentication host-mode multi-host authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 20 dot1x timeout tx-period 10 spanning-tree bpduguard enable
If a user connects to this switch and then unplugs (not Logoff), goes to their desk and plugs in, their port is Err-disabled. I have to shut the port on the conference room and then shut and no shut their port. After that all is well. What can I do to prevent me having to shut the port the conference room unmanaged switch is in?
rene u r great!!!wat a explanation…
Try this on the conference room interface.
switchport port-security aging time 300
In 5 minutes, it should reset.
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.
Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 600
Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:
It is normal for companies to have an unmanage linksys switches or other brand connected to a Cisco switch, I had this issue on one company I was working because everytime they connect an unmanage switch a lot of users will loose connectivity then I removed bpduguard and configured port-security allowing only 10 mac addresses and we haven’t had that issue. I noticed that bpdguard will bring the port into err-disable. Please advise if this is correct.
It depends…in a SMB environment, you can encounter anything. I’ve seen Cisco switches with a combination of any other vendor switch. Sometimes users bring their own stuff and connect it to the network.
In larger (enterprise) networks they typically spend some more time at network design and more money on hardware. You won’t see cheap unmanaged switches there…
BPDUguard will put your interface in err-disable if it receives a BPDU on the interface. Some unmanaged switches might still send these so that could cause the interface to go down. Here’s an example btw:
Typically port-security is only used on access interfaces that connect computers, laptops or IP phones. You can set it to 1 MAC address for computers or two if there’s an IP phone with a computer behind it.
This sound silly but i want know how you can ping from the IOS command line with a packet tracer instead of the command prompt?.
What exactly do you mean? Do you want to use a GUI instead of the command line or something like traceroute?
Sorry is a mistake.
Nice & very informative . Keep it up
I do not understand what this command (errdisable recovery cause psecure-violation) exactly used for?
Does the switch port recovers itself from err-disabled mode if we set the aging time to say 10 minutes instead of the default 0 minutes.