Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Trace: 1.1.aii
cisco:certification_topics:ccie-ei:1.1.aii

This is an old revision of the document!

Table of Contents

Switchport Security

Port Security

General

  • Port security configuration on a port can be viewed by.
    • switch#show port-security interface tenGigabitEthernet 1/0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Aging Time

  • By default, secure MAC addresses will not age out.
  • To define an aging time, from 1-1440 minutes
    • switch(config-if)#switchport port-security aging time ?
  <1-1440>  Aging time in minutes. Enter a value between 1 and 1440

Aging Types

  • The Aging types are:
    • Absolute
      • The default aging type is Absolute.
      • After the secure MAC address is learned, the aging timer starts and the MAC is removed after the timer expires, even if the switch continues receiving frames from that source MAC address.
    • Inactivity
      • After the secure MAC address is learned, the aging timer starts but is reset every time a frame from that source MAC address is received on the interface.
    • Can be configured by.
      • switch(config-if)#switchport port-security aging type ?
  absolute    Absolute aging (default)
  inactivity  Aging based on inactivity time period

Secure MAC aging

  • Secure Static MAC aging is disabled by default (addresses configured with switchport port-security mac-address <MAC>.
  • Can be enabled by.
    • switch(config-if)#switchport port-security aging static

Errdisable recovery

Causes

  • Can be caused by:
    • arp-inspection
      • Detects errors with dynamic ARP inspection.
    • bpduguard
      • Detects when a spanning-tree bridge protocol data unit (BPDU) is received on a port configured for STP PortFast.
    • dhcp-rate-limit
      • Detects an error with DHCP snooping.
    • dtp-flap
      • Detects when trunking encapsulation is changing from one type to another.
    • gbic-invalid
      • Detects the presence of an invalid GBIC or SFP module.
    • inline-power
      • Detects an error with offering PoE inline power.
    • l2ptguard
      • Detects an error with L2 Protocol Tunneling.
    • link-flap
      • Detects when the port link state is flapping between the up and down states.
    • loopback
      • Detects when an interface has been looped back.
    • pagp-flap
      • Detects when an EtherChannel bundle's ports no longer have consistent configurations.
    • pppoe-ia-rate-limit
      • Detects errors with PPPoE Intermediate Agent rate limiting.
    • psecure-violation
      • Detects conditions that trigger port security configured on a port.
    • psp
      • Detects an error related to protocol storm protection.
    • security-violation
      • Detects errors related to 802.1X security.
    • sfp-config-mismatch
      • Detects errors related to SFP config mismatches.
    • small-frame
      • Detects errors when VLAN-tagged packets are too small and arrive above a certain time.
    • storm-control
      • Detects when a storm control threshold has been exceeded on a port.
    • udld
      • Detects when a link is seen to be unidirectional.
    • all
      • Detects every possible cause.

Configuration

  • To configure all causes
    • switch(config)#errdisable detect cause all
  • To configure one cause
    • switch(config)#errdisable detect cause <cause name>
    • switch(config)#errdisable detect cause link-flap
  • To disable all causes
    • switch(config)#no errdisable detect cause all
  • To disable one cause
    • switch(config)#no errdisable detect cause <cause name>
    • switch(config)#no errdisable detect cause link-flap

Recovery Options

  • Automatically recover from all error conditions
    • switch(config)#errdisable recovery cause all
  • Automatically recover from one error condition
    • switch(config)#errdisable recovery cause mac-limit
  • Else, to recover from an errdisabled state, the port must be shut/no shut.
    • switch(config-line)#int te 1/0/1
switch(config-if)#shut
*Nov 23 06:47:22.720: %LINK-5-CHANGED: Interface TenGigabitEthernet1/0/1, changed state to administratively down
switch(config-if)#no shut
*Nov 23 06:47:30.749: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/0/1, changed state to up

Recovery Interval

  • When enabled, the default recovery interval is 300 secs (5 mins)
  • Modify recovery interval by
    • switch(config)#errdisable recovery interval ?
  <30-86400>  timer-interval(sec)
    • switch(config)#errdisable recovery interval 30

Backlinks

CCIE-EI v1.1

cisco/certification_topics/ccie-ei/1.1.aii.1763911760.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki