Differences

This shows you the differences between two versions of the page.

--- cisco:certification_topics:ccie-ei:1.1.aii [2025/11/23 15:10] – Name
+++ cisco:certification_topics:ccie-ei:1.1.aii [2025/11/23 17:11] (current) – Name
@@ Line 2: / Line 2: @@
 =====Port Security=====
+====General====
+  * Port security configuration on the whole switch can be viewed by.
+    * <code>switch#show port-security
+Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
+                (Count)       (Count)          (Count)
+---------------------------------------------------------------------------
+    Te1/0/1              1            0                  0         Shutdown
+---------------------------------------------------------------------------
+Total Addresses in System (excluding one mac per port)     : 0
+Max Addresses limit in System (excluding one mac per port) : 4096</code>
   * Port security configuration on a port can be viewed by.
     * <code>switch#show port-security interface tenGigabitEthernet 1/0/1
@@ Line 16: / Line 26: @@
 Last Source Address:Vlan   : 0000.0000.0000:0
 Security Violation Count   : 0</code>
+====Administrative Mode====
+  * The Administrative Mode **static access** or **trunk** to enable port-security on a port.
+    * <code>switch#show interfaces te1/0/1 switchport
+Name: Te1/0/1
+Switchport: Enabled
+Administrative Mode: static access
+switch(config)#int te 1/0/1
+switch(config-if)#switchport port-security</code>
+    * <code>switch#show interfaces te1/0/3 switchport
+Name: Te1/0/3
+Switchport: Enabled
+Administrative Mode: trunk
+switch(config)#int t 1/0/3
+switch(config-if)#switchport port-security</code>
+  * The default of **dynamic auto** will result in a rejected **switchport port-security** command.
+    * <code>switch(config-if)#do show int t1/0/2 switchport
+Name: Te1/0/2
+Switchport: Enabled
+Administrative Mode: dynamic auto
+switch(config-if)#switchport port-security
+Command rejected: TenGigabitEthernet1/0/2 is a dynamic port.</code>
+====Aging Time====
   * By default, secure MAC addresses will not age out.
   * To define an aging time, from 1-1440 minutes
-    * <code>switch(config-if)#switchport port-security aging time 1</code>
+    * <code>switch(config-if)#switchport port-security aging time ?
-  * The default aging type is Abosolute
+  <1-1440>  Aging time in minutes. Enter a value between 1 and 1440</code>
-    * <code>switch#show port-security interface tenGigabitEthernet 1/0/1 | i Aging Time
+====Aging Types====
-Aging Time                 : 1 mins</code>
+  * The Aging types are:
+    * Absolute
+      * The default aging type is Absolute.
+      * After the secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires, even if the switch continues receiving frames from that source MAC address.
+    * Inactivity
+      * After the secure MAC address is learned, the aging timer starts but is reset every time a frame from that source MAC address is received on the interface.
+    * Can be configured by.
+      * <code>switch(config-if)#switchport port-security aging type ?
+  absolute    Absolute aging (default)
+  inactivity  Aging based on inactivity time period</code>
+====Secure MAC aging====
+  * Secure Static MAC aging is disabled by default (addresses configured with **switchport port-security mac-address** <MAC>.
+  * Can be enabled by.
+    * <code>switch(config-if)#switchport port-security aging static</code>
+====Violation Modes====
+  * Determines how port-security will protect the port in case of a violation.
+  * The modes are:
+    * protect
+      * Discard traffic from unauthorized hosts.
+      * The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices are dropped and no log entry is generated.
+      * Keyword: No log entry.
+    * restrict
+      * The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices is dropped and a log entry is generated.
+    * shutdown
+      * Shutdowns the port if more than the maximum number of allowable MAC addresses are learned on the interface.
+  * Defined per port by.
+    * <code>switch(config-if)#switchport port-security violation ?
+  protect   Security violation protect mode
+  restrict  Security violation restrict mode
+  shutdown  Security violation shutdown mode</code>
+=====Sticky MAC addresses=====
+====General====
+  * There are two type of sticky secure MAC address.
+    - An incoming packet, with a MAC address, is automatically assigned to that port.
+    - The MAC address is statically defined.
+  * By default, when enabled, one MAC address is allowed per port.
+  * Sticky secure MAC address learning can be enabled, per interface, by.
+    * <code>switch(config-if)#switchport port-security mac-address sticky ?
+  H.H.H  48 bit mac address
+  <cr>   <cr></code>
+    * <code>switch(config-if)#switchport port-security mac-address sticky 1234.1234.1234</code>
+  * Sticky secure MAC address will never age out.
+  * If the command, **switchport port-security mac-address sticky** is issued, then all current dynamically-learned secure MAC addresses will be converted to sticky secure MAC addresses.
+  * Sticky secure MAC address learning can be disabled by.
+    * <code>no switchport port-security mac-address sticky</code>
+    * All current sticky secure MAC addresses will be converted to regular dynamically-learned secure MAC address.
+====Types====
+  * Secure MAC addresses will be added to the MAC address table like any other MAC address.
+    * Sticky and Static secure MAC addresses will have a type of STATIC.
+    * Dynamically-learned secure MAC addresses will have a type of DYNAMIC.
+    * To view all secure MAC addresses.
+      * <code>switch#show mac address-table secure
+          Mac Address Table
+-------------------------------------------
+Vlan    Mac Address       Type        Ports
+----    -----------       --------    -----</code>
 =====Errdisable recovery=====
@@ Line 67: / Line 161: @@
 ====Configuration=====
-  * To configure all causes
+  * Are applied globally.
+  * To configure all causes.
     * <code>switch(config)#errdisable detect cause all</code>
-  * To configure one cause
+  * To configure one cause.
     * <code>switch(config)#errdisable detect cause <cause name></code>
     * <code>switch(config)#errdisable detect cause link-flap</code>
-  * To disable all causes
+  * To disable all causes.
     * <code>switch(config)#no errdisable detect cause all</code>
-  * To disable one cause
+  * To disable one cause.
     * <code>switch(config)#no errdisable detect cause <cause name></code>
     * <code>switch(config)#no errdisable detect cause link-flap</code>
 ====Recovery Options=====
-  * Automatically recover from all error conditions
+  * Automatically recover from all error conditions.
     * <code>switch(config)#errdisable recovery cause all</code>
-  * Automatically recover from one error condition
+  * Automatically recover from one error condition.
     * <code>switch(config)#errdisable recovery cause mac-limit</code>
   * Else, to recover from an errdisabled state, the port must be shut/no shut.
@@ Line 91: / Line 186: @@
 ====Recovery Interval=====
   * When enabled, the default recovery interval is 300 secs (5 mins)
-  * Modify recovery interval by
+  * Modify recovery interval from 30-86400 secs (24 hrs) by
     * <code>switch(config)#errdisable recovery interval ?
   <30-86400>  timer-interval(sec)</code>
     * <code>switch(config)#errdisable recovery interval 30</code>
+====Verification====
+  * View a single interface status line protocol.
+    * <code>switch#show interfaces t1/0/1 | i line protocol
+TenGigabitEthernet1/0/1 is down, line protocol is down (notconnect)</code>
+  * View all interface status line protocols.
+    * <code>switch#show interfaces status err-disabled</code>
+  * View all errdisable reason status' and timer.
+    * <code>switch#sh errdisable recovery
+ErrDisable Reason            Timer Status
+-----------------            --------------
+arp-inspection               Enabled
+bpduguard                    Enabled
+channel-misconfig            Enabled
+dhcp-rate-limit              Enabled
+dtp-flap                     Enabled
+gbic-invalid                 Enabled
+inline-power                 Enabled
+l2ptguard                    Enabled
+link-flap                    Enabled
+mac-limit                    Enabled
+link-monitor-failure         Enabled
+loopback                     Enabled
+oam-remote-failure           Enabled
+pagp-flap                    Enabled
+port-mode-failure            Enabled
+pppoe-ia-rate-limit          Enabled
+psecure-violation            Enabled
+security-violation           Enabled
+sfp-config-mismatch          Enabled
+storm-control                Enabled
+udld                         Enabled
+vmps                         Enabled
+psp                          Enabled
+dual-active-recovery         Disabled
+evc-lite input mapping fa    Disabled
+Timer interval: 30 seconds
+Interfaces that will be enabled at the next timeout:</code>
+=====Switchport Security Configuration=====
+  * Port security configuration for a single MAC address, from the first learned MAC address.
+    - Change port mode to access port.
+      * <code>switch(config-if)#switchport mode access</code>
+    - Configure port security to allow first MAC that is seen connected to the port, or in the CAM table already.
+      * <code>switch(config-if)#switchport port-security mac-address sticky</code>
+    - Configure only one MAC address to be learned.
+      * <code>switch(config-if)#switchport port-security maximum 1</code>
+    - Configure violation mode.
+      * <code>switch(config-if)#switchport port-security violation shutdown</code>
+    - Enable port-security (must be done).
+      * <code>switch(config-if)#switchport port-security</code>
+    - Verify port-security configuration.
+      * <code>switch#show port-security interface t1/0/1
+Port Security              : Enabled
+Port Status                : Secure-down
+Violation Mode             : Shutdown
+Aging Time                 : 1 mins
+Aging Type                 : Inactivity
+SecureStatic Address Aging : Enabled
+Maximum MAC Addresses      : 1
+Total MAC Addresses        : 1
+Configured MAC Addresses   : 0
+Sticky MAC Addresses       : 1
+Last Source Address:Vlan   : 0000.0000.0000:0
+Security Violation Count   : 0</code>
+    - Optional: Configure automated port recovery.
+      * <code>switch(config)#errdisable recovery cause all</code>
+    - If no automated recovery is configured, then the port has to be **shut/no shut** to recover.
+    - Optional: Change recovery timer, in seconds.
+      * <code>switch(config)#errdisable recovery interval 30
+switch#show errdisable recovery | i interval
+Timer interval: 30 seconds</code>
 ======Backlinks======
 [[cisco:certification_topics:ccie-ei|CCIE-EI v1.1]]\\

Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Differences

Page Tools