Switchport port-security on Routers ?

Hi All,
Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
But the router doesn’t support the switchport command at all.
So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
thanks,
Ivan

Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar

Similar Messages

  • SG-500-28P How to configure switchport port-security violation setting

    Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
    Seems like the default option is shutdown and I don't know how to change it.
    Thank you!

    Hi,
    you can recover this Violation.By using below command:
    To enable automatic re-activation of an interface after an Err-Disable shutdown, 
    use the errdisable recovery cause Global Configuration mode command. To 
    disable automatic re-activation, use the no form of this command.
    Syntax
    errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
    stp-bpdu-guard | loopback-detection | udld }
    no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
    stp-bpdu-guard | loopback-detection | udld }
    For more information:
    Refer this URL:page no :406
    http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
    regards
    Moorthy

  • Switchport port-security maximum

    I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
    I´m configuring the port-security maximum using the following commands:
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    I dont know why some times this work, some times do not work.
    to solve the issue I had to use the three commands:
    switchport port-security maximum 2
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    the documentation do not say nothing about if I have to use the three commands together.

    Hi,
    This is an excerpt from the Configuration Guide for your box and IOS-XE release:
    Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
    The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed  per all configured vlans per port equals ONE at the default only.
    I hope my English makes sense.
    Best regards,
    Antonin

  • [switchport port-security mac ] on [interface VLAN n?]

    Hello,
    did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
    I don't have the material to make that test, and I am not sure if it works or not.
    Many thanks!

    Hi,
    Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
    HTH
    Sundar

  • NAC and switchport port-security

    Dear,Friends
    I have NAC working on Out-Of-Band Vitual Gateway.
    When I Enable Port Security on the CAM, this don't work very well.
    I need allow two mac-address for interface, one workstation and one phone.
    The first User is authenticated and placed in the correct VLAN according to the group. Total MAC Addresses increases the workstation and the phone correctly.
    Switch#sh port-security interface gigabitEthernet 1/24
    Port Security                          : Enabled
    Port Status                            : Secure-up
    Violation Mode                       : Shutdown
    Aging Time                            : 0 mins
    Aging Type                            : Absolute
    SecureStatic Address Aging   : Disabled
    Maximum MAC Addresses     : 2
    Total MAC Addresses            : 2
    Configured MAC Addresses    : 0
    Sticky MAC Addresses          : 0
    Last Source Address:Vlan      : fcfb.fbca.2c65:89
    Security Violation Count         : 0
    After if I:
    - change of user
    - bounce the interface
    - plug another workstation on interface
    Anything happens, and port remains on Access VLAN.
    Somebody Know How Can I fix this problem?
    Regards

    Could you please elaborate on your question? I don't understand what's exactly the problem.

  • Port Security Sticky Addresses

    Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
    switchport mode access
    switchport port-security
    switchport port-security aging time 1
    switchport port-security aging type inactivity
    switchport port-security mac-address sticky
    spanning-tree portfast
    I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
    Josh

    It is not possible to age out sticky entries.  With sticky entries, they are added to the running config.  So the only way to remove it is through editing the running config....  If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...

  • CAM aging time VS Port-security aging time

    Hi All
    Please advise on the following:
    - Without port-security configured, MACs per interface are learnt as "Dynamic" entries and the global CAM aging timer applies (300 seconds) unless tweaked manually.
    - With switchport port-security enabled (without port-security mac-address sticky, which holds onto MACs infinitely) I see MACs being learnt as "Secure-Dynamic" in a show port-security interface gix/x output and as "Static" in the output of show mac address-table interface gix.x .
    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too? as I see their is also a option to configure port-security mac-address aging time / type, does this overrule / take precedence over the default CAM aging timer?
    Please assist, its not documented anywhere and its driving me a bit nuts!
    Thanks folks

    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too?
    Any aging time you configure with port security will take precedence over the default aging time.
    See this thread for details -
    https://supportforums.cisco.com/discussion/11054341/switchport-port-security-commands-help
    Jon

  • Recommended port-security settings for ASA HA failover

    I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
    interface GigabitEthernet0/8
    description ASA-Primary-Out
    switchport access vlan 200
    switchport mode access
    switchport port-security maximum 2
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 500
    no cdp enable
    spanning-tree portfast
    spanning-tree bpduguard enable
    Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
    %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
    I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

    Hello,
    This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
    Per the port-security config guide:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
    "...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
    Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
    -Mike

  • Packet drops on 2960 with port-security enabled

    Hello,
    We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
    switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
    There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
    Port Security              : EnabledPort Status                : Secure-upViolation Mode             : RestrictAging Time                 : 1 minsAging Type                 : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses      : 10Total MAC Addresses        : 0Configured MAC Addresses   : 0Sticky MAC Addresses       : 0Last Source Address:Vlan   : 0011.aabb.ccdd:11Security Violation Count   : 0
    When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
    I have found similar reports and bugs for the 2950 and 3750:
    https://supportforums.cisco.com/thread/163910
    https://supportforums.cisco.com/message/89560
    https://tools.cisco.com/bugsearch/bug/CSCeg63177
    https://tools.cisco.com/bugsearch/bug/CSCec21652
    Is there anything we can do to fix this?
    Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
    Thank you.

    Hi Alioune,
    This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
    When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
    On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
    The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
    Regards

  • After enabling port-security host is not reachable

    Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
    interface fa 0/20
    switchport mode access
    switchport access vlan 20
    swicthport port-security
    switchport port-security maximum 2
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    switchport port-security mac-adress sticky
    1

    hello
    Possiblely to restrictive for that....can you post
    sh port-security int fa0/20
    res
    Paul

  • Implementing port security

    i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
    What are the recommended steps? All are connected with users and all ports are already in use.
    - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
    - It's tedious to go switch by switch, port by port
    - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

    The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
    With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
    When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
    If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
    It sounds like you may have a hard time, since they don't seem to really care about security at this place.
    Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

  • Scope of port security

    Hi,
    I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
    Port one had this equipment already in situe and we wanted to add another laptop to the domain,
    We connected a 2nd laptop to port one and successfully joined the domain.
    We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
    We found that for the laptop to work on port 2 we had to flush port 1.
    My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
    Cheers
    Dave

    Hi David Imrie
    You have to check the configuration of your switch interface, probably  a switch's  port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the  “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x”  command to be assigned statically.
    You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
    IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
    For example if the maximum is 2,  change to 3
    Switchx (config-if) # switchport port-security maximum 2.
    Switchx (config-if) # no switchport port-security maximum 2.
    Switchx (config-if) # switchport port-security maximum 3.
    If these solutions do not fix your problem, send me your switch configuration or
    If this answer was satisfactory for you, please mark the question as Answered.
    Thank you
    Greetings, Johnnatan Rodriguez Miranda.

  • Enable port security between Two switches

    Hi Everyone,
    I connected two switches together  via below config
    Switch A
    int gi0/1
    switch mode access
    switchport access vlan 10
    Switch B
    int gi0/1
    switch mode access
    switchport access vlan 10
    They work fine with above config.
    I did the Test below
    However when i changed Config of Switch B  as below
    int gi0/1
    switch mode access
    switchport access vlan 10
    switchport port-security  
    Switch B is unable to ping its default gateway.
    Also Switch B is not reachable via SSH.
    Port is up up and in STP forwarding state.
    Switch B can see Switch A as a neighbour.
    Also Switch B is not reachable via SSH.
    I know that switchport port-security we use only when connecting to PC.
    S does this mean that  on above scenario layer 1 and layer 2 are up but layers beyond 3 and above are not reachable like ping,ssh etc??
    Regards
    MAhesh

    I was just trying to see how the switches behave with this config.Nothing much just  exploring the options in the network world
    Ideally if you want to connect two switches together in Layer 2, Dot1Q trunking is the way to go.  You do not want to put port security because it is useless. 

  • HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone

    Hellow all!
    I'm want use port-security for ports on my HP 3800. But PC connected
    to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
    for data - 1 VLAN (native). Cisco phone add self mac-address in these
    two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
    switchport port-security maximum 3
    switchport port-security mac-address pc_mac
    switchport port-security mac-address ip_phone_mac
    switchport port-security mac-address ip_phone_mac vlan voice
    How i can add one mac in two VLAN's on HP 3800 Switch?
    Sorry for my English, please ^_^
    This topic first appeared in the Spiceworks Community

    Hi Kuarzo, please reference the following;
    https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
    https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300

  • Port Security

    I had configured this, but when i plug in other machine with different MAC, how come it still able to access the network?
    interface FastEthernet0/22
    switchport mode access
    switchport protected
    switchport port-security
    switchport port-security maximum 22
    switchport port-security violation restrict
    switchport port-security mac-address 0060.97ed.6092
    Switch_242#show port interface fastEthernet 0/22 address
    Secure Mac Address Table
    Vlan Mac Address Type Ports Remaining Age
    (mins)
    1 0060.97ed.6092 SecureConfigured Fa0/22 -
    Total Addresses: 1

    Hello,
    you are allowing a maximum of 22 MAC addresses on the port:
    switchport port-security maximum 22
    But you have only configured one secure MAC address:
    switchport port-security mac-address 0060.97ed.6092
    If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. In order to actually allow only one MAC address on the port, remove the statement 'switchport port-security maximum 22'.
    HTH,
    GP

Maybe you are looking for

  • Boy what a screw job when the program freezes in the middle of site wide fo

    Boy what a screw job when the program freezes in the middle of site wide folder name changes. Then you never know what did get changed or not until you wade thru every possible one. And you cant just redo change the folder name, cuz the folder name d

  • Role comparision in ECC 6.0

    Hi, facing issues with role comparison in SUIM in ECC 6.0 did cross system ( DEV - PRD) comparison of role. if any authorization object is missing, it will show red signal, yellow if diffeent values of the field now problem is when i drill down furth

  • Finding printer's IP address on Appletalk Network

    I'm trying to install RIP software for my Fuji Pictrography printer which is on a wired ethernet appletalk network with a switch. in order for the RIP sofware to work I need to find the printer's IP address. How do I find this information? david

  • KDE Not updating?

    KDE is not updating correctly using pacman on my system. When I do: pacman -S kdebase It says: :: kdebase-3.2.3-1 is up to date.  Upgrade anyway? But it is at 3.3......what's going wrong? -GPS

  • Multimedia Menu Key not working (N95)

    I have problem in the multimedia menu key (N95), it is not working, i pressed the key more than once, but the multimedia screen didnot appear, although it was working perfect from 2 days, Can anyone tells me how to solve this problem. Thanks