Thanks Luís! Glad to hear it was useful to you.
Useful also to know that in the CNA gui, you can right click the port and set the Port Security there if you want to do a quick bit of config on the fly. Thanks
Thanks - nice tutorial and I just applied it to one port on our switch!
wonderfull tutorial, U’r my angel switch, but can Catalyst 2960 Series work this tutorial?
Sure, even the 2950 will work.
Hi Rene, I have a strange problem related to your post. We have a unmananged switch connected to a managed switch port. That port is configured as follows:
description Conference Room switchport access vlan 43 switchport mode access switchport port-security maximum 16 switchport port-security authentication host-mode multi-host authentication port-control auto dot1x pae authenticator dot1x timeout quiet-period 20 dot1x timeout tx-period 10 spanning-tree bpduguard enable
If a user connects to this switch and then unplugs (not Logoff), goes to their desk and plugs in, their port is Err-disabled. I have to shut the port on the conference room and then shut and no shut their port. After that all is well. What can I do to prevent me having to shut the port the conference room unmanaged switch is in?
rene u r great!!!wat a explanation…
Try this on the conference room interface.
switchport port-security aging time 300
In 5 minutes, it should reset.
To avoid having to manually intervene every time a port-security violation forces an interface into the error-disabled state, one can enable auto-recovery for port security violations. A recovery interval is configured in seconds.
Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 600
Ten minutes after a port was error-disabled, we can see that the port is automatically transitioned back into operation:
It is normal for companies to have an unmanage linksys switches or other brand connected to a Cisco switch, I had this issue on one company I was working because everytime they connect an unmanage switch a lot of users will loose connectivity then I removed bpduguard and configured port-security allowing only 10 mac addresses and we haven’t had that issue. I noticed that bpdguard will bring the port into err-disable. Please advise if this is correct.
It depends…in a SMB environment, you can encounter anything. I’ve seen Cisco switches with a combination of any other vendor switch. Sometimes users bring their own stuff and connect it to the network.
In larger (enterprise) networks they typically spend some more time at network design and more money on hardware. You won’t see cheap unmanaged switches there…
BPDUguard will put your interface in err-disable if it receives a BPDU on the interface. Some unmanaged switches might still send these so that could cause the interface to go down. Here’s an example btw:
Typically port-security is only used on access interfaces that connect computers, laptops or IP phones. You can set it to 1 MAC address for computers or two if there’s an IP phone with a computer behind it.
This sound silly but i want know how you can ping from the IOS command line with a packet tracer instead of the command prompt?.
What exactly do you mean? Do you want to use a GUI instead of the command line or something like traceroute?
Sorry is a mistake.
Nice & very informative . Keep it up
I do not understand what this command (errdisable recovery cause psecure-violation) exactly used for?
Does the switch port recovers itself from err-disabled mode if we set the aging time to say 10 minutes instead of the default 0 minutes.
You have it right. In your example, the switch would automatically bring the violating port out of err-disabled mode in 10 minutes. Of course, if what cause the port to violate in the first place is still going on, the port will just bounce in and out of err-disabled mode every ten minutes.
The idea behind auto-recovery is so that if whatever caused the violation is just a transitory condition, the administrator doesn’t have to get involved to bring the port back to a functional state.
Can you please answer to this questions :-
1 - What are the different between the aging types ( absolute & inactivity ) ? and for what we use them ?
2 - What are the different between the aging time and errdisable recovery interval ?
3 - What is the use of this command “switchport port-security aging static” ?
Absolute = aging based on a clock, regardless of activity
Inactivity = aging based on whether frames have been received from the MAC in question. Once a frame has been received the configured aging value resets and starts to count down again
You might use Absolute in a public access setting–maybe a library where people can plug in, but after a certain amount of time, re-authentication must occur.
You might use Inactivity in a more semi-private setting, like the lobby of a business. The idea being that you want to limit the number of devices attached to a port, but so long as a device is remaining active, it is okay for it to remain.
These are very different. Aging time has to do with how long a switch associates a MAC address with a particular port using the options discussed in #1. Errdisable Recovery interval is how long a port remains in an err-disabled state (and there are lots of reasons why a port might be in this state) before it automatically “recovers” to being in a normal status. Of course, if the condition that caused the port to go into an errdisabled state still remains after the automatic recovery, the port will again return to an errdisabled state.
This command tells the switch that even manually defined MAC addresses are subject to the aging mechanisms defined (as was discussed in #1). By default, manually defined static MACs are not subjected to aging out. I suppose the thought is that if you went to the trouble of manually defining a MAC to Port association, you want that to be persistent.
Thanks Andrew it’s clear now,
one more question :-
What are the different between these two commands “switchport port-security aging time” & “mac-address-table aging-time” ?