A switch has a cache limit to store MAC address of devices connecting to the switch. This cache can be overloaded and causing MAC lookups to fail.
Switch can store MAC address as dynamic, static and sticky.
- dynamic entries MACs are stored in the table as device are recognized
- static MAC entries are defined manually and stored in running configuration and written to startup configuration with Write Memory or Copy Running Start command
- sticky MAC entries are dynamic entries that are stored in running configuration and written to startup configuration with Write Memory or Copy Running Start command
- default number of MAC address learned is 1.
Violation actions are
- Protect - which silently blocks traffic and not reports the violation
- Restrict - which blocks and reports violation via snmp, syslog, counters
- Shutdown - Default. Shutdown port and reports violation via snmp, syslog, counters
- Shutdown the vlan
Access or trunk ports needs to be static ports (ie. Switchport mode access or trunk) . Trunks accounted for more MAC entries than an access port.
Example of configuring port security on a static access port.
Maximum address learned are 5. Aging type set to inactivity of 5 minutes which dynamic MAC addresses are aged out. Port violation action is to restrict. A static mac address is configured
Maximum address learned are 5. Aging type set to inactivity of 5 minutes which dynamic MAC addresses are aged out. Port violation action is to restrict. A static mac address is configured
Example of configuring a port security on a trunk with a 50 learned MAC address for VLAN 123 only.
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport port-security maximum 50 vlan 123
switchport port-security
No comments:
Post a Comment