SlideShare a Scribd company logo

Configuring dynamic switchport security

Download as DOCX, PDF
IT Tech, profile picture
IT Tech

Port security limits the number of MAC addresses that can be learned on a switch port to prevent MAC address flooding attacks. It can be configured with the switchport port-security command. The lab demonstrates configuring port security on interface Fa0/1 of SW1 to allow a maximum of 3 MAC addresses and shutdown the port if exceeded. Testing validated the configuration works as expected, shutting down the port after 3 MAC address changes on connected router R1's Fa0/0 interface.

1 of 6
Download to read offline
1
2
3
4
5
6
How to Configure Dynamic Switchport Security? Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab. Real World Application & Core Knowledge It’s common knowledge that when a switch reaches the maximum limit for its mac address table it starts flooding traffic out all ports like a hub. Hackers know this and they will use this to gain access into a network. They know if they can flood the switch with thousands of fake mac addresses then the switch will become basically a hub and all traffic will be forwarded to their machine, in this case they could sniff telnet or any other insecure protocol used in the environment to gain further access into the network. A way to prevent this “mac address table poisoning” vulnerability is to use a feature called “Port Security” Port Security is essentially a layer 2 securitymechanisms that can limit the number of mac addresses that can be learned on a single switch port or perhaps be used as a security barrier to prevent anyone from unplugging a network device and plugging in a new device without authorization. Ideally, no more than three MAC addresses should be learned at any given time on a Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a built in mini switch. When you connect a phone to the network it will advertise three MAC addresses to the switch. one MAC for the built in phone switch, another MAC for the phone its self and the last mac for the directly connected PC. There are several configuration requirements to enable port-security correctly such as port security mac address aging which sets a timeout timer which is used to determine how long a MAC address should stay associated with a particular port. Port security mac-address which can be dynamic or sticky (Discussed in the next lab), the maximum MAC addresses that can be associated with a particular port and the violation action; rather it protect, restrict or shutdown the port once the max MAC address limit has been exceeded or a device does not match the configured MAC address on the port security configuration. There are three different types of violation methods you can use with Port Security, the first being a protected port. A Protected port security violation will still allow permissible traffic from authorized MAC addresses but all other traffic with unknown MAC addresses will be dropped. A Restricted port security violation will restrict all
traffic and generate an SNMP trap to the SNMP Server for administrative reference. The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode once a port security violation has occurred. In this lab you will familiarize yourself with the following commands; Lab Prerequisites If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1. Establish a console session with devices R1 than configure the devices respected hostname(s). Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′ s Vlan1 interface than verify IP connectivity between R1 and SW1. Command Description switchport port-security This command is executed in interface configuration mode and enables port security on the configured port. switchport port-security aging This command is executed in interface configuration mode and sets the MAC address aging timer, which determines how long a MAC address is associated to a particular port with port-security enabled. switchport port-security mac {hhhh.hhhh.hhhh | sticky} This command is executed in interface configuration mode and specifies a static MAC address or a converts the the learn MAC addresses into static configured MAC addresses. switchport port-security maximum # This command is executed in interface configuration mode and specifies the maximum limit of mac addresses that can be learned on that switchport before a violation is triggered. switchport port-security {protected | restricted | shutdown} This command is executed in interface configuration mode and specifies the action to be taken upon a port security violation. show port-security This command is executed in privileged mode to view the current status of all ports on the switch if they are participating in port-security. show port-security interface interfacename#/# This command is executed in privileged mode to view the details of port-security on a particular port including status, timeout, violation type, max mac addresses and other configurable options. show port-security interface interfacename#/# address This command is executed in privileged mode to view the port’s current port-security associated mac addresses.
Lab Objectives Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses. Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. Lab Instruction Step1. –Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses To enable port security on a specific port you use the switchport port-security command in interface configuration mode as shown below; SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 3 SW1(config-if)# Step2.–Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. To shut down a port once a violation is triggered you’ll use the switchport port-security violation shutdown command in interface configuration mode as shown below; SW1(config-if)#switchport port-security violation shutdown Step3.–Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. You can first verify your configuration by using the show port-security interface fa0/1 command in privileged mode to view current port-security configuration on a per-port basis as shown below; SW1(config-if)#end SW1# %SYS-5-CONFIG_I: Configured from console by console
SW1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.242e.bf80:1 Security Violation Count : 0 SW1# As you can see from above the port status is currently “Secure-Up” meaning port security is enabled and the maximum address count is 3. You can test this port-security configuration by changing the MAC address on R1 3 times, and after the 3rd change, a violation will occur due to the MAC addresses associated with the switch port exceeding the limit of 3. You can change the MAC address of a routers interface by using the mac-address xxxx.xxxx.xxxx command in interface configuration mode as shown below; R1 con0 is now available Press RETURN to get started. R1#enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#mac-address aaaa.aaaa.aaaa R1(config-if)#mac-address aaaa.aaaa.aaab R1(config-if)#mac-address aaaa.aaaa.aaac R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down R1(config-if)# If you were keeping track on SW1 after changing the MAC address each time on R1 then you’d see the following changes until the port was automatically placed into
Err-Disabled mode as shown below; SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 1 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 2 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - 1 aaaa.aaaa.aaabSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 3 SW1# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state SW1# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.aaaa.aaac on port FastEthernet0/1. SW1# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
SW1# %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down SW1# More Related Topics: Switchport Security & Configuration How to Configure Dynamic DNS on a Cisco Router?

More Related Content

PDF
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
PPT
Cisco Switch Security
dkaya
 
DOCX
How to configure port security in cisco switch
IT Tech
 
DOCX
Switchport port security explained with examples
teameassefa
 
PPT
Cap2 configuring switch
Hector Camba Lainez
 
PPTX
Port Security
NetProtocol Xpert
 
PPTX
Switching and Port Security
usman19
 
PDF
2.2.4.9 packet tracer configuring switch port security instructions - ig
Alex Ramirez
 
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
Cisco Switch Security
dkaya
 
How to configure port security in cisco switch
IT Tech
 
Switchport port security explained with examples
teameassefa
 
Cap2 configuring switch
Hector Camba Lainez
 
Port Security
NetProtocol Xpert
 
Switching and Port Security
usman19
 
2.2.4.9 packet tracer configuring switch port security instructions - ig
Alex Ramirez
 

What's hot (17)

PPT
Mitigating Layer2 Attacks
dkaya
 
PPTX
Switch security
nullowaspmumbai
 
PDF
CCIE R&S Real Lab Workbbok 2018 updated
CCIERNSTRICKS.COM
 
DOC
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Mohammed Omar
 
PDF
Ip Access Lists
CCNAResources
 
PDF
How to Configure Private VLANs on Cisco Switches
Harris Andrea
 
PPT
Chapter 14 - Sw Conf
phanleson
 
PDF
Communication & switching networks lab manual
MUSAAB HASAN
 
PPTX
Frame - MAC Address Threats & Vulnerabilities
Marc-Andre Heroux
 
DOC
Ch2 ccna exploration 3 lan switching and wireless
kratos2424
 
PPSX
Packet Tracer Tutorial # 2
Abdul Basit
 
PDF
Configuration steps for the cisco 300 series switches v3
Conrad Cruz
 
PDF
Basic Cisco 800 Router Configuration for Internet Access
Harris Andrea
 
DOCX
Telnet configuration
MdAlAmin187
 
PDF
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks
 
PDF
Important cisco-chow-commands
ssusere31b5c
 
DOCX
Cman
Mohsen B
 
Mitigating Layer2 Attacks
dkaya
 
Switch security
nullowaspmumbai
 
CCIE R&S Real Lab Workbbok 2018 updated
CCIERNSTRICKS.COM
 
Exploit wep flaws in six steps using backtrack 5 r3 (crack hack wireless)
Mohammed Omar
 
Ip Access Lists
CCNAResources
 
How to Configure Private VLANs on Cisco Switches
Harris Andrea
 
Chapter 14 - Sw Conf
phanleson
 
Communication & switching networks lab manual
MUSAAB HASAN
 
Frame - MAC Address Threats & Vulnerabilities
Marc-Andre Heroux
 
Ch2 ccna exploration 3 lan switching and wireless
kratos2424
 
Packet Tracer Tutorial # 2
Abdul Basit
 
Configuration steps for the cisco 300 series switches v3
Conrad Cruz
 
Basic Cisco 800 Router Configuration for Internet Access
Harris Andrea
 
Telnet configuration
MdAlAmin187
 
Cohesive Networks Support Docs: VNS3 Administration
Cohesive Networks
 
Important cisco-chow-commands
ssusere31b5c
 
Cman
Mohsen B
 
Ad

Similar to Configuring dynamic switchport security (20)

PPTX
SRWE_Module_11.pptx
Josimar Caitano
 
PPTX
Security Concerns in LANs.pptx
joko
 
PDF
VLAN
Anuj Kumar
 
PPT
Ch6
scary5800
 
PPT
Cisco Training CCNA and Routing Switching.ppt
AniruddhSharma65
 
PPTX
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
INFitunes
 
PPTX
Network Security- port security.pptx
SulSya
 
DOC
Ccna 3 chapter 2 v4.0 answers 2011
Dân Chơi
 
PDF
Vlan
PAF-KIET
 
PPTX
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
Abdelkhalik Mosa
 
PDF
Switching
Netwax Lab
 
DOCX
CCNA Security configuration
Rafat Khandaker
 
PPT
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Mike McLain
 
DOCX
VLAN, Trunk and 802.1q Router Configuration Objectiv.docx
dickonsondorris
 
PPTX
Bluetooth
Francesco Garofalo
 
PPT
Network Security - Layer 2
samis
 
PPT
Expl sw chapter_02_switches_part_1
aghacrom
 
PPTX
Layer Two ( 2 ) Security of Cisco switch
ssuserb1479b
 
PPTX
Attack.pptx
ISMT College
 
PDF
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
SRWE_Module_11.pptx
Josimar Caitano
 
Security Concerns in LANs.pptx
joko
 
VLAN
Anuj Kumar
 
Ch6
scary5800
 
Cisco Training CCNA and Routing Switching.ppt
AniruddhSharma65
 
How to Configure Port-Security on Cisco Switch for Enhanced Network Security ...
INFitunes
 
Network Security- port security.pptx
SulSya
 
Ccna 3 chapter 2 v4.0 answers 2011
Dân Chơi
 
Vlan
PAF-KIET
 
LAN Switching and Wireless: Ch2 - Basic Switch Concepts and Configuration
Abdelkhalik Mosa
 
Switching
Netwax Lab
 
CCNA Security configuration
Rafat Khandaker
 
Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
Mike McLain
 
VLAN, Trunk and 802.1q Router Configuration Objectiv.docx
dickonsondorris
 
Bluetooth
Francesco Garofalo
 
Network Security - Layer 2
samis
 
Expl sw chapter_02_switches_part_1
aghacrom
 
Layer Two ( 2 ) Security of Cisco switch
ssuserb1479b
 
Attack.pptx
ISMT College
 
Webinar NETGEAR Prosafe Switch, la sicurezza della LAN
Netgear Italia
 
Ad

More from IT Tech (20)

DOCX
Cisco ip phone key expansion module setup
IT Tech
 
DOCX
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
 
DOCX
Cisco isr 900 series highlights, platform specs, licenses, transition guide
IT Tech
 
DOCX
Hpe pro liant gen9 to gen10 server transition guide
IT Tech
 
DOCX
The new cisco isr 4461 faq
IT Tech
 
DOCX
New nexus 400 gigabit ethernet (400 g) switches
IT Tech
 
DOCX
Tested cisco isr 1100 delivers the richest set of wi-fi features
IT Tech
 
DOCX
Aruba campus and branch switching solution
IT Tech
 
DOCX
Cisco transceiver module for compatible catalyst switches
IT Tech
 
DOCX
Cisco ios on cisco catalyst switches
IT Tech
 
DOCX
Cisco's wireless solutions deployment modes
IT Tech
 
DOCX
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
IT Tech
 
DOCX
Four reasons to consider the all in-one isr 1000
IT Tech
 
DOCX
The difference between yellow and white labeled ports on a nexus 2300 series fex
IT Tech
 
DOCX
Cisco transceiver modules for compatible cisco switches series
IT Tech
 
DOCX
Guide to the new cisco firepower 2100 series
IT Tech
 
DOCX
892 f sfp configuration example
IT Tech
 
DOCX
Cisco nexus 7000 and nexus 7700
IT Tech
 
DOCX
Cisco firepower ngips series migration options
IT Tech
 
DOCX
Eol transceiver to replacement model
IT Tech
 
Cisco ip phone key expansion module setup
IT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
IT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
IT Tech
 
The new cisco isr 4461 faq
IT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
IT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
IT Tech
 
Aruba campus and branch switching solution
IT Tech
 
Cisco transceiver module for compatible catalyst switches
IT Tech
 
Cisco ios on cisco catalyst switches
IT Tech
 
Cisco's wireless solutions deployment modes
IT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
IT Tech
 
Four reasons to consider the all in-one isr 1000
IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
IT Tech
 
Cisco transceiver modules for compatible cisco switches series
IT Tech
 
Guide to the new cisco firepower 2100 series
IT Tech
 
892 f sfp configuration example
IT Tech
 
Cisco nexus 7000 and nexus 7700
IT Tech
 
Cisco firepower ngips series migration options
IT Tech
 
Eol transceiver to replacement model
IT Tech
 

Configuring dynamic switchport security

  • 1. How to Configure Dynamic Switchport Security? Due to the limited feature support of the NM-16ESW, this lab CANNOT be completed using the Free CCNA Workbook GNS3 topology. However, this lab can be completed using the Stub Lab. Real World Application & Core Knowledge It’s common knowledge that when a switch reaches the maximum limit for its mac address table it starts flooding traffic out all ports like a hub. Hackers know this and they will use this to gain access into a network. They know if they can flood the switch with thousands of fake mac addresses then the switch will become basically a hub and all traffic will be forwarded to their machine, in this case they could sniff telnet or any other insecure protocol used in the environment to gain further access into the network. A way to prevent this “mac address table poisoning” vulnerability is to use a feature called “Port Security” Port Security is essentially a layer 2 securitymechanisms that can limit the number of mac addresses that can be learned on a single switch port or perhaps be used as a security barrier to prevent anyone from unplugging a network device and plugging in a new device without authorization. Ideally, no more than three MAC addresses should be learned at any given time on a Cisco network. Why 3? Most Networks envision a future where VoIP will be utilized on their network and when using a Cisco VoIP Solution, the Cisco VoIP Phone has a built in mini switch. When you connect a phone to the network it will advertise three MAC addresses to the switch. one MAC for the built in phone switch, another MAC for the phone its self and the last mac for the directly connected PC. There are several configuration requirements to enable port-security correctly such as port security mac address aging which sets a timeout timer which is used to determine how long a MAC address should stay associated with a particular port. Port security mac-address which can be dynamic or sticky (Discussed in the next lab), the maximum MAC addresses that can be associated with a particular port and the violation action; rather it protect, restrict or shutdown the port once the max MAC address limit has been exceeded or a device does not match the configured MAC address on the port security configuration. There are three different types of violation methods you can use with Port Security, the first being a protected port. A Protected port security violation will still allow permissible traffic from authorized MAC addresses but all other traffic with unknown MAC addresses will be dropped. A Restricted port security violation will restrict all
  • 2. traffic and generate an SNMP trap to the SNMP Server for administrative reference. The last port mode is “shutdown”, which places the port into “Err-Disabled” Mode once a port security violation has occurred. In this lab you will familiarize yourself with the following commands; Lab Prerequisites If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; R1 and SW1. Establish a console session with devices R1 than configure the devices respected hostname(s). Assign the IP Address 10.1.1.1/24 to R1 Fa0/0 and the IP Address 10.1.1.10/24 to SW1′ s Vlan1 interface than verify IP connectivity between R1 and SW1. Command Description switchport port-security This command is executed in interface configuration mode and enables port security on the configured port. switchport port-security aging This command is executed in interface configuration mode and sets the MAC address aging timer, which determines how long a MAC address is associated to a particular port with port-security enabled. switchport port-security mac {hhhh.hhhh.hhhh | sticky} This command is executed in interface configuration mode and specifies a static MAC address or a converts the the learn MAC addresses into static configured MAC addresses. switchport port-security maximum # This command is executed in interface configuration mode and specifies the maximum limit of mac addresses that can be learned on that switchport before a violation is triggered. switchport port-security {protected | restricted | shutdown} This command is executed in interface configuration mode and specifies the action to be taken upon a port security violation. show port-security This command is executed in privileged mode to view the current status of all ports on the switch if they are participating in port-security. show port-security interface interfacename#/# This command is executed in privileged mode to view the details of port-security on a particular port including status, timeout, violation type, max mac addresses and other configurable options. show port-security interface interfacename#/# address This command is executed in privileged mode to view the port’s current port-security associated mac addresses.
  • 3. Lab Objectives Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses. Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. Lab Instruction Step1. –Enable port-security on SW1 interface Fa0/1 and allow a maximum of 3 MAC addresses To enable port security on a specific port you use the switchport port-security command in interface configuration mode as shown below; SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface fa0/1 SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 3 SW1(config-if)# Step2.–Configure interface Fa0/1 on SW1 to shut down the port if there is a port-security violation. To shut down a port once a violation is triggered you’ll use the switchport port-security violation shutdown command in interface configuration mode as shown below; SW1(config-if)#switchport port-security violation shutdown Step3.–Verify your port-security configuration on SW1 by changing the MAC addresses on R1′ s FastEthernet0/0 interface to aaaa.aaaa.aaaa then aaaa.aaaa.aaab and finally aaaa.aaaa.aaac to trigger a violation. You can first verify your configuration by using the show port-security interface fa0/1 command in privileged mode to view current port-security configuration on a per-port basis as shown below; SW1(config-if)#end SW1# %SYS-5-CONFIG_I: Configured from console by console
  • 4. SW1#show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000f.242e.bf80:1 Security Violation Count : 0 SW1# As you can see from above the port status is currently “Secure-Up” meaning port security is enabled and the maximum address count is 3. You can test this port-security configuration by changing the MAC address on R1 3 times, and after the 3rd change, a violation will occur due to the MAC addresses associated with the switch port exceeding the limit of 3. You can change the MAC address of a routers interface by using the mac-address xxxx.xxxx.xxxx command in interface configuration mode as shown below; R1 con0 is now available Press RETURN to get started. R1#enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#mac-address aaaa.aaaa.aaaa R1(config-if)#mac-address aaaa.aaaa.aaab R1(config-if)#mac-address aaaa.aaaa.aaac R1(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down R1(config-if)# If you were keeping track on SW1 after changing the MAC address each time on R1 then you’d see the following changes until the port was automatically placed into
  • 5. Err-Disabled mode as shown below; SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 1 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 2 SW1#show port-security interface fa0/1 address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 000f.242e.bf80 SecureDynamic Fa0/1 - 1 aaaa.aaaa.aaaaSecureDynamic Fa0/1 - 1 aaaa.aaaa.aaabSecureDynamic Fa0/1 - ------------------------------------------------------------------------ Total Addresses: 3 SW1# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state SW1# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.aaaa.aaac on port FastEthernet0/1. SW1# %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
  • 6. SW1# %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down SW1# More Related Topics: Switchport Security & Configuration How to Configure Dynamic DNS on a Cisco Router?