• Port security configuration on the whole switch can be viewed by.

  • switch#show port-security 
    Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                    (Count)       (Count)          (Count)
    ---------------------------------------------------------------------------
        Te1/0/1              1            0                  0         Shutdown
    ---------------------------------------------------------------------------
    Total Addresses in System (excluding one mac per port)     : 0
    Max Addresses limit in System (excluding one mac per port) : 4096

• Port security configuration on a port can be viewed by.

  • switch#show port-security interface tenGigabitEthernet 1/0/1
    Port Security              : Enabled
    Port Status                : Secure-up
    Violation Mode             : Shutdown
    Aging Time                 : 1 mins
    Aging Type                 : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses      : 1
    Total MAC Addresses        : 0
    Configured MAC Addresses   : 0
    Sticky MAC Addresses       : 0
    Last Source Address:Vlan   : 0000.0000.0000:0
    Security Violation Count   : 0

• The Administrative Mode static access or trunk to enable port-security on a port.

  • switch#show interfaces te1/0/1 switchport
    Name: Te1/0/1
    Switchport: Enabled
    Administrative Mode: static access
    
    switch(config)#int te 1/0/1
    switch(config-if)#switchport port-security

  • switch#show interfaces te1/0/3 switchport
    Name: Te1/0/3
    Switchport: Enabled
    Administrative Mode: trunk
    
    switch(config)#int t 1/0/3
    switch(config-if)#switchport port-security

• The default of dynamic auto will result in a rejected switchport port-security command.

  • switch(config-if)#do show int t1/0/2 switchport     
    Name: Te1/0/2
    Switchport: Enabled
    Administrative Mode: dynamic auto
    
    switch(config-if)#switchport port-security
    Command rejected: TenGigabitEthernet1/0/2 is a dynamic port.

• By default, secure MAC addresses will not age out.
• To define an aging time, from 1-1440 minutes

  • switch(config-if)#switchport port-security aging time ?
      <1-1440>  Aging time in minutes. Enter a value between 1 and 1440

• The Aging types are:
  • Absolute
    • The default aging type is Absolute.
    • After the secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires, even if the switch continues receiving frames from that source MAC address.
  • Inactivity
    • After the secure MAC address is learned, the aging timer starts but is reset every time a frame from that source MAC address is received on the interface.
  • Can be configured by.

    • switch(config-if)#switchport port-security aging type ?
        absolute    Absolute aging (default)
        inactivity  Aging based on inactivity time period

• Secure Static MAC aging is disabled by default (addresses configured with switchport port-security mac-address <MAC>.
• Can be enabled by.

  • switch(config-if)#switchport port-security aging static

• Determines how port-security will protect the port in case of a violation.
• The modes are:
  • protect
    • Discard traffic from unauthorized hosts.
    • The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices are dropped and no log entry is generated.
    • Keyword: No log entry.
  • restrict
    • The interface will remain up if more than the maximum number of addresses is learned, but traffic violating devices is dropped and a log entry is generated.
  • shutdown
    • Shutdowns the port if more than the maximum number of allowable MAC addresses are learned on the interface.
• Defined per port by.

  • switch(config-if)#switchport port-security violation ?
      protect   Security violation protect mode
      restrict  Security violation restrict mode
      shutdown  Security violation shutdown mode

• There are two type of sticky secure MAC address.
  1. An incoming packet, with a MAC address, is automatically assigned to that port.
  2. The MAC address is statically defined.
• By default, when enabled, one MAC address is allowed per port.
• Sticky secure MAC address learning can be enabled, per interface, by.

  • switch(config-if)#switchport port-security mac-address sticky ?
      H.H.H  48 bit mac address
      <cr>   <cr>

  • switch(config-if)#switchport port-security mac-address sticky 1234.1234.1234

• Sticky secure MAC address will never age out.
• If the command, switchport port-security mac-address sticky is issued, then all current dynamically-learned secure MAC addresses will be converted to sticky secure MAC addresses.
• Sticky secure MAC address learning can be disabled by.

  • no switchport port-security mac-address sticky

  • All current sticky secure MAC addresses will be converted to regular dynamically-learned secure MAC address.

• Secure MAC addresses will be added to the MAC address table like any other MAC address.
  • Sticky and Static secure MAC addresses will have a type of STATIC.
  • Dynamically-learned secure MAC addresses will have a type of DYNAMIC.
  • To view all secure MAC addresses.

    • switch#show mac address-table secure
                Mac Address Table
      -------------------------------------------
      
      Vlan    Mac Address       Type        Ports
      ----    -----------       --------    -----

• Can be caused by:
  • arp-inspection
    • Detects errors with dynamic ARP inspection.
  • bpduguard
    • Detects when a spanning-tree bridge protocol data unit (BPDU) is received on a port configured for STP PortFast.
  • dhcp-rate-limit
    • Detects an error with DHCP snooping.
  • dtp-flap
    • Detects when trunking encapsulation is changing from one type to another.
  • gbic-invalid
    • Detects the presence of an invalid GBIC or SFP module.
  • inline-power
    • Detects an error with offering PoE inline power.
  • l2ptguard
    • Detects an error with L2 Protocol Tunneling.
  • link-flap
    • Detects when the port link state is flapping between the up and down states.
  • loopback
    • Detects when an interface has been looped back.
  • pagp-flap
    • Detects when an EtherChannel bundle's ports no longer have consistent configurations.
  • pppoe-ia-rate-limit
    • Detects errors with PPPoE Intermediate Agent rate limiting.
  • psecure-violation
    • Detects conditions that trigger port security configured on a port.
  • psp
    • Detects an error related to protocol storm protection.
  • security-violation
    • Detects errors related to 802.1X security.
  • sfp-config-mismatch
    • Detects errors related to SFP config mismatches.
  • small-frame
    • Detects errors when VLAN-tagged packets are too small and arrive above a certain time.
  • storm-control
    • Detects when a storm control threshold has been exceeded on a port.
  • udld
    • Detects when a link is seen to be unidirectional.
  • all
    • Detects every possible cause.

• Are applied globally.
• To configure all causes.

  • switch(config)#errdisable detect cause all

• To configure one cause.

  • switch(config)#errdisable detect cause <cause name>

  • switch(config)#errdisable detect cause link-flap

• To disable all causes.

  • switch(config)#no errdisable detect cause all

• To disable one cause.

  • switch(config)#no errdisable detect cause <cause name>

  • switch(config)#no errdisable detect cause link-flap

• Automatically recover from all error conditions.

  • switch(config)#errdisable recovery cause all

• Automatically recover from one error condition.

  • switch(config)#errdisable recovery cause mac-limit

• Else, to recover from an errdisabled state, the port must be shut/no shut.

  • switch(config-line)#int te 1/0/1
    switch(config-if)#shut
    *Nov 23 06:47:22.720: %LINK-5-CHANGED: Interface TenGigabitEthernet1/0/1, changed state to administratively down
    switch(config-if)#no shut
    *Nov 23 06:47:30.749: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/0/1, changed state to up

• When enabled, the default recovery interval is 300 secs (5 mins)
• Modify recovery interval from 30-86400 secs (24 hrs) by

  • switch(config)#errdisable recovery interval ?
      <30-86400>  timer-interval(sec)

  • switch(config)#errdisable recovery interval 30

• View a single interface status line protocol.

  • switch#show interfaces t1/0/1 | i line protocol
    TenGigabitEthernet1/0/1 is down, line protocol is down (notconnect)

• View all interface status line protocols.

  • switch#show interfaces status err-disabled

• View all errdisable reason status' and timer.

  • switch#sh errdisable recovery 
    ErrDisable Reason            Timer Status
    -----------------            --------------
    arp-inspection               Enabled
    bpduguard                    Enabled
    channel-misconfig            Enabled
    dhcp-rate-limit              Enabled
    dtp-flap                     Enabled
    gbic-invalid                 Enabled
    inline-power                 Enabled
    l2ptguard                    Enabled
    link-flap                    Enabled
    mac-limit                    Enabled
    link-monitor-failure         Enabled
    loopback                     Enabled
    oam-remote-failure           Enabled
    pagp-flap                    Enabled
    port-mode-failure            Enabled
    pppoe-ia-rate-limit          Enabled
    psecure-violation            Enabled
    security-violation           Enabled
    sfp-config-mismatch          Enabled
    storm-control                Enabled
    udld                         Enabled
    vmps                         Enabled
    psp                          Enabled
    dual-active-recovery         Disabled
    evc-lite input mapping fa    Disabled
    
    Timer interval: 30 seconds
    
    Interfaces that will be enabled at the next timeout:

• Port security configuration for a single MAC address, from the first learned MAC address.
  1. Change port mode to access port.

     • switch(config-if)#switchport mode access

  2. Configure port security to allow first MAC that is seen connected to the port, or in the CAM table already.

     • switch(config-if)#switchport port-security mac-address sticky

  3. Configure only one MAC address to be learned.

     • switch(config-if)#switchport port-security maximum 1

  4. Configure violation mode.

     • switch(config-if)#switchport port-security violation shutdown

  5. Enable port-security (must be done).

     • switch(config-if)#switchport port-security

  6. Verify port-security configuration.

     • switch#show port-security interface t1/0/1
       Port Security              : Enabled
       Port Status                : Secure-down
       Violation Mode             : Shutdown
       Aging Time                 : 1 mins
       Aging Type                 : Inactivity
       SecureStatic Address Aging : Enabled
       Maximum MAC Addresses      : 1
       Total MAC Addresses        : 1
       Configured MAC Addresses   : 0
       Sticky MAC Addresses       : 1
       Last Source Address:Vlan   : 0000.0000.0000:0
       Security Violation Count   : 0

  7. Optional: Configure automated port recovery.

     • switch(config)#errdisable recovery cause all

  8. If no automated recovery is configured, then the port has to be shut/no shut to recover.
  9. Optional: Change recovery timer, in seconds.

     • switch(config)#errdisable recovery interval 30
       switch#show errdisable recovery | i interval
       Timer interval: 30 seconds

CCIE-EI v1.1