Differences

This shows you the differences between two versions of the page.

--- cisco:certification_topics:ccie-ei:1.1.aii [2025/11/23 15:31] – Name
+++ cisco:certification_topics:ccie-ei:1.1.aii [2025/11/23 17:11] (current) – Name
@@ Line 26: / Line 26: @@
 Last Source Address:Vlan   : 0000.0000.0000:0
 Security Violation Count   : 0</code>
+====Administrative Mode====
+  * The Administrative Mode **static access** or **trunk** to enable port-security on a port.
+    * <code>switch#show interfaces te1/0/1 switchport
+Name: Te1/0/1
+Switchport: Enabled
+Administrative Mode: static access
+switch(config)#int te 1/0/1
+switch(config-if)#switchport port-security</code>
+    * <code>switch#show interfaces te1/0/3 switchport
+Name: Te1/0/3
+Switchport: Enabled
+Administrative Mode: trunk
+switch(config)#int t 1/0/3
+switch(config-if)#switchport port-security</code>
+  * The default of **dynamic auto** will result in a rejected **switchport port-security** command.
+    * <code>switch(config-if)#do show int t1/0/2 switchport
+Name: Te1/0/2
+Switchport: Enabled
+Administrative Mode: dynamic auto
+switch(config-if)#switchport port-security
+Command rejected: TenGigabitEthernet1/0/2 is a dynamic port.</code>
 ====Aging Time====
   * By default, secure MAC addresses will not age out.
@@ Line 48: / Line 71: @@
   * Can be enabled by.
     * <code>switch(config-if)#switchport port-security aging static</code>
+====Violation Modes====
+  * Determines how port-security will protect the port in case of a violation.
+  * The modes are:
+    * protect
+      * Discard traffic from unauthorized hosts.
+      * The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices are dropped and no log entry is generated.
+      * Keyword: No log entry.
+    * restrict
+      * The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices is dropped and a log entry is generated.
+    * shutdown
+      * Shutdowns the port if more than the maximum number of allowable MAC addresses are learned on the interface.
+  * Defined per port by.
+    * <code>switch(config-if)#switchport port-security violation ?
+  protect   Security violation protect mode
+  restrict  Security violation restrict mode
+  shutdown  Security violation shutdown mode</code>
+=====Sticky MAC addresses=====
+====General====
+  * There are two type of sticky secure MAC address.
+    - An incoming packet, with a MAC address, is automatically assigned to that port.
+    - The MAC address is statically defined.
+  * By default, when enabled, one MAC address is allowed per port.
+  * Sticky secure MAC address learning can be enabled, per interface, by.
+    * <code>switch(config-if)#switchport port-security mac-address sticky ?
+  H.H.H  48 bit mac address
+  <cr>   <cr></code>
+    * <code>switch(config-if)#switchport port-security mac-address sticky 1234.1234.1234</code>
+  * Sticky secure MAC address will never age out.
+  * If the command, **switchport port-security mac-address sticky** is issued, then all current dynamically-learned secure MAC addresses will be converted to sticky secure MAC addresses.
+  * Sticky secure MAC address learning can be disabled by.
+    * <code>no switchport port-security mac-address sticky</code>
+    * All current sticky secure MAC addresses will be converted to regular dynamically-learned secure MAC address.
+====Types====
+  * Secure MAC addresses will be added to the MAC address table like any other MAC address.
+    * Sticky and Static secure MAC addresses will have a type of STATIC.
+    * Dynamically-learned secure MAC addresses will have a type of DYNAMIC.
+    * To view all secure MAC addresses.
+      * <code>switch#show mac address-table secure
+          Mac Address Table
+-------------------------------------------
+Vlan    Mac Address       Type        Ports
+----    -----------       --------    -----</code>
@@ Line 94: / Line 161: @@
 ====Configuration=====
-  * To configure all causes
+  * Are applied globally.
+  * To configure all causes.
     * <code>switch(config)#errdisable detect cause all</code>
-  * To configure one cause
+  * To configure one cause.
     * <code>switch(config)#errdisable detect cause <cause name></code>
     * <code>switch(config)#errdisable detect cause link-flap</code>
-  * To disable all causes
+  * To disable all causes.
     * <code>switch(config)#no errdisable detect cause all</code>
-  * To disable one cause
+  * To disable one cause.
     * <code>switch(config)#no errdisable detect cause <cause name></code>
     * <code>switch(config)#no errdisable detect cause link-flap</code>
 ====Recovery Options=====
-  * Automatically recover from all error conditions
+  * Automatically recover from all error conditions.
     * <code>switch(config)#errdisable recovery cause all</code>
-  * Automatically recover from one error condition
+  * Automatically recover from one error condition.
     * <code>switch(config)#errdisable recovery cause mac-limit</code>
   * Else, to recover from an errdisabled state, the port must be shut/no shut.
@@ Line 118: / Line 186: @@
 ====Recovery Interval=====
   * When enabled, the default recovery interval is 300 secs (5 mins)
-  * Modify recovery interval by
+  * Modify recovery interval from 30-86400 secs (24 hrs) by
     * <code>switch(config)#errdisable recovery interval ?
   <30-86400>  timer-interval(sec)</code>
     * <code>switch(config)#errdisable recovery interval 30</code>
+====Verification====
+  * View a single interface status line protocol.
+    * <code>switch#show interfaces t1/0/1 | i line protocol
+TenGigabitEthernet1/0/1 is down, line protocol is down (notconnect)</code>
+  * View all interface status line protocols.
+    * <code>switch#show interfaces status err-disabled</code>
+  * View all errdisable reason status' and timer.
+    * <code>switch#sh errdisable recovery
+ErrDisable Reason            Timer Status
+-----------------            --------------
+arp-inspection               Enabled
+bpduguard                    Enabled
+channel-misconfig            Enabled
+dhcp-rate-limit              Enabled
+dtp-flap                     Enabled
+gbic-invalid                 Enabled
+inline-power                 Enabled
+l2ptguard                    Enabled
+link-flap                    Enabled
+mac-limit                    Enabled
+link-monitor-failure         Enabled
+loopback                     Enabled
+oam-remote-failure           Enabled
+pagp-flap                    Enabled
+port-mode-failure            Enabled
+pppoe-ia-rate-limit          Enabled
+psecure-violation            Enabled
+security-violation           Enabled
+sfp-config-mismatch          Enabled
+storm-control                Enabled
+udld                         Enabled
+vmps                         Enabled
+psp                          Enabled
+dual-active-recovery         Disabled
+evc-lite input mapping fa    Disabled
+Timer interval: 30 seconds
+Interfaces that will be enabled at the next timeout:</code>
+=====Switchport Security Configuration=====
+  * Port security configuration for a single MAC address, from the first learned MAC address.
+    - Change port mode to access port.
+      * <code>switch(config-if)#switchport mode access</code>
+    - Configure port security to allow first MAC that is seen connected to the port, or in the CAM table already.
+      * <code>switch(config-if)#switchport port-security mac-address sticky</code>
+    - Configure only one MAC address to be learned.
+      * <code>switch(config-if)#switchport port-security maximum 1</code>
+    - Configure violation mode.
+      * <code>switch(config-if)#switchport port-security violation shutdown</code>
+    - Enable port-security (must be done).
+      * <code>switch(config-if)#switchport port-security</code>
+    - Verify port-security configuration.
+      * <code>switch#show port-security interface t1/0/1
+Port Security              : Enabled
+Port Status                : Secure-down
+Violation Mode             : Shutdown
+Aging Time                 : 1 mins
+Aging Type                 : Inactivity
+SecureStatic Address Aging : Enabled
+Maximum MAC Addresses      : 1
+Total MAC Addresses        : 1
+Configured MAC Addresses   : 0
+Sticky MAC Addresses       : 1
+Last Source Address:Vlan   : 0000.0000.0000:0
+Security Violation Count   : 0</code>
+    - Optional: Configure automated port recovery.
+      * <code>switch(config)#errdisable recovery cause all</code>
+    - If no automated recovery is configured, then the port has to be **shut/no shut** to recover.
+    - Optional: Change recovery timer, in seconds.
+      * <code>switch(config)#errdisable recovery interval 30
+switch#show errdisable recovery | i interval
+Timer interval: 30 seconds</code>
 ======Backlinks======
 [[cisco:certification_topics:ccie-ei|CCIE-EI v1.1]]\\

Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Differences

Page Tools