Answers: Basic Port Security 1

certskills
By certskills January 27, 2012 11:29

Port security is one of those features for which CCENT and CCNA candidates tend to forget the details of the commands. This latest lab exercise gives you a chance to practice port security configuration on six ports, but with different combinations of requirements. As usual, try the lab yourself first, and then check here for the answers.

Problem 1 Review, Switch SW1

To get things started, go back and check the original problem post for the details. For quick reference, Figure 1 repeats the topology, Table 1 repeats the requirements, and the notes just before the table list the MAC addresses.

Figure 1 – Lab Topology

MAC Addresses:

The MAC addresses of the six PCs should be considered to be 8 hex zeros, with the last four digits matching the PC’s number. EG, PC1’s MAC is 0000.0000.1111; PC2’s is 0000.0000.2222, and so on.

Table 1: Configuration Combinations

PC1 PC2 PC3 PC4 PC5 PC6
Number of MACs 1 1 2 2 3 3
Dynamically learn MAC? Y N Y Y N Y
Sticky? N N Y N N Y
Violation mode Shut. Prot. Rest. Shut. Prot. Rest.

Answers

The configurations for Problem 1 on both SW1 and SW2 are listed below.

Example 1: SW1 New Config

Example 2: SW2 Config

Answers, Config VM: IPv6 Static Routes
Subnet Design Exercise 3
certskills
By certskills January 27, 2012 11:29
Write a comment

16 Comments

  1. sharadvas March 22, 10:04

    I have a doubt here;
    Going by the answer config here, for dynamically learned MAC, specifying a MAC address is not reqd. However, in the icnd 1 book this is not termed as optional parameter for configuring port security (pg 259).
    Also in addition “port-security dynamic sticky” command is nowhere mentioned.
    Are these needed to be updated(i have 3rd ed).

    Please clarify. Is there anything specific about this concept that we need to know further, as it is not mentioned in book.

    Reply to this comment
  2. Wendell Odom of Certskills March 26, 11:46

    Howdy,
    Yep, I see what you mean. Step 5A on page 259 isn’t required. I’ll look at adding an errata entry to that effect. Briefly, yes, you can configure port security, and not specify the MAC address

    Also, on the “sticky” option, it’s actually in the example on page 260, and explained following the example.

    Finally, on scope (what is/isn’t on the exam), I can’t comment specifically (actually, no one can) due to NDA rules. But I can say that if we think it’s on an exam, we put it in the corresponding book.
    Thanks,
    Wendell

    Reply to this comment
  3. sharadvas March 27, 10:50

    Thanks…actually i meant ‘switchport port-security dynamic sticky’ command…but, anyways, i got the concept…

    Reply to this comment
  4. Joey September 25, 01:42

    just a quick comment. i think what this OP meant was, “switchport port-security dynamic sticky” is not a real command. i believe the command is “switchport port-security mac-address sticky” which is why maybe he’d have trouble. anyway its properly in the 100-105 book, just thought youd like to edit the typo for the lab.

    Reply to this comment
  5. Bav May 11, 15:59

    Just tried this and all correct 1st time. Good way to sign off the day. Bedtime.

    Reply to this comment
  6. adrikayak July 18, 13:27

    How can one avoid mac-addresses to be learned dynamically? I can’t really see how this is achieved for f0/5. I just see how you fix one of the 3 possible MAC addresses with the “switchport port-security mac-address 0000.0000.5555” command. Is not the hypothetical 0000.0000.7777 MAC address going to be dynamically (and temporarily) learned if I unplug PC6 and plug PC7 in?

    I understand that this is achieved for f0/2 since the only possible MAC address if “filled” with the “switchport port-security mac-address 0000.0000.2222” and no other MAC address can be added to the MAC address table, but can’t really see it for f0/5.

    Could you shed some light on this?

    Reply to this comment
    • adrikayak July 18, 13:36

      I might have complicated a bit the original purpose of the question: did you rather simply mean “dynamically learn” the plugged PC’s MAC address?

      Reply to this comment
      • CCENTSkills July 21, 09:48

        Hi Adrikayak,
        It’s problem both simpler and more obscure.
        As for the requirements, by “dynamically learn MAC” I meant that phrasing to refer to the fact that you do not have to statically configure the MAC address in the port security config. That is, port security will learn the MACs based on the source MAC of the incoming frames.

        I now see that could be slightly confusing, given the following…

        IOS will not display the MAC addresses associated with a port with port security in the output of “show mac address-table dynamic”. That is, the command keyword “dynamic” refers to normal switch MAC learning only, and not to whatever port security does. You’d need to use “show mac address-table static” or “secure” to see the MACs on ports that have port security configured, or just omit that last parm (“show mac address-table”).

        See page 207-208 in the ICND1 100-105 book for a specific example.

        Hope this helps…
        Wendell

        Reply to this comment
  7. Elad November 16, 20:22

    the practical difference between default switch port security behaviour (dynamic) and sticky is a bit obscure and confusing. from my understanding, only difference is that sticky will write the dynamically learned MAC address/es in the running-config. but for what practical purpose?? just so that the switch won’t have to re-learn those MAC addresses dynamically after being reloaded (and only IF you copied the running-config to startup-config).

    Reply to this comment
    • CCENTSkills November 21, 13:09

      Elad,
      Yep, that’s what it’s for. That way you don’t have to know the MACs that exist in the network ahead of time. Just turn on port security with sticky, discover them, then copy run start to save them.
      Wendell

      Reply to this comment
      • Eddy April 27, 09:54

        Hey Wendell! First comment here, love your book and the added labs, I feel like I am really grasping the concepts.

        Can you elaborate a little bit on the “sticky” command? Namely:

        _ If I *switchport port-security mac-address sticky* , then unplug the end device and plug another, the switch is gonna let traffic flow because it’s gonna learn the new mac address and sticky that last one, right? It seems counter-intuitive to me, because it doesn’t really do much in the way of security.

        _ If I *switchport port-security mac-address sticky* , then *copy run start* , what’s gonna be written in the startup-config? Is it going to be *switchport port-security mac-address sticky* or *switchport port-security mac-address xxxx.xxxx.xxxx*? My guess is that’s gonna be the second, and thus providing the security that should come from such a command, from the moment we *reload* onward.

        Thank you so much for your time and patience!

        Reply to this comment
  8. MorganScott March 18, 20:53

    Just wanted to take a moment and say thank you for the time and effort you put into building and participating in this great recourse. This, along with Packet Tracer has given me the chance to start some hands on practice of the concepts learned in a CCENT video series I recently completed. The hands-on Lab practice makes the learning far more fun and really helps me to understand and commit to memory the CLI commands. I may or may not move forward with CCENT certification but this is definitely going to be a step in my path either way, Thank You

    Reply to this comment
  9. Eddy April 27, 09:55

    Hey Wendell! First comment here, love your book and the added labs, I feel like I am really grasping the concepts.

    Can you elaborate a little bit on the “sticky” command? Namely:

    _ If I *switchport port-security mac-address sticky* , then unplug the end device and plug another, the switch is gonna let traffic flow because it’s gonna learn the new mac address and sticky that last one, right? It seems counter-intuitive to me, because it doesn’t really do much in the way of security.

    _ If I *switchport port-security mac-address sticky* , then *copy run start* , what’s gonna be written in the startup-config? Is it going to be *switchport port-security mac-address sticky* or *switchport port-security mac-address xxxx.xxxx.xxxx*? My guess is that’s gonna be the second, and thus providing the security that should come from such a command, from the moment we *reload* onward.

    Thank you so much for your time and patience!

    Reply to this comment
    • CCENTSkills April 27, 13:09

      Hi Eddy,
      You’re very welcome!
      To your specific points:
      1) Yes, you summarized the behavior correctly. I agree, in that sequence, it does not help with security! That’s not how you’d use it.
      2) You’re 2nd part of “what happens” is what happens, that is, the specific MAC address is stored. That’s basically how to use sticky. You configure sticky, it learns the actual MACs, copy run start to save the actual MACs used. By doing so, you learn what MACs exist, without having to use some other means to learn them. Of course, if an attacker happens along when that initial learning happens with sticky, that’s a hole in the process.
      Hope this helps!
      Wendell

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories