PortSec_Labbing

Again this will be a CCNA level review of configuration / verification, and behaviors when things are working and not working, so if you already know this iron clad then skip forward but if you’re rusty you may want to stick around.

(Errdisable auto recovery will be covered at the very bottom of this post!)

First for any port level labs, its almost impossible to work with them open, so I shut them down until the configuration is complete – So you will see “no shut” then sparks flying everywhere as the port comes back to life in the following examples.

I will be trying to rip through this post quickly with most labbing and less explanation, so any questions please comment below and I will get to them, thanks!

Important to note – “switchport port-security” must first be enabled to turn on Port-Security in general before making any of the following changes seen below!

Configuring Static Mac-Addresses for Fa1/0/1

To note, I do shut down ports before working with port security commands so an ARP request doesn’t start the party off early on me, so when you see “no shut” the interface is coming back up and learning the Host A’s information for the first time.

We know the default MaxSecureAddr default is 1, so I’ll add a single static whatever address and “no shut” the port to see how things are looking:

SW1(config)#int fa1/0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port mac ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky

SW1(config-if)#switchport port mac aaaa.aaaa.aaaa ?
vlan set VLAN ID of the VLAN on which this address can be learned
<cr>

SW1(config-if)#switchport port mac aaaa.aaaa.aaaa
SW1(config-if)#
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 00:23:31.626: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
*Mar 1 00:23:32.633: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
SW1(config-if)#
*Mar 1 00:23:55.139: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/1, putting Fa1/0/1 in err-disable state
SW1(config-if)#
*Mar 1 00:23:55.156: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001e.f797.f14b on port FastEthernet1/0/1.
SW1(config-if)#
*Mar 1 00:23:56.154: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
SW1(config-if)#
*Mar 1 00:23:57.153: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
SW1(config-if)#

It comes back up just long enough to receive an ARP that is not aaaa.aaaa.aaaa, and because the default violation action is “Shutdown” it puts the port in err-disbale mode.

Some verification’s of this:

(I apologize, I do not have the time tonight to spend hours reformatting these tables as they don’t format well pasting from CLI, so I will color code values to demonstrate)

“sh int fa1/0/1” :

SW1#sh int fa1/0/1
FastEthernet1/0/1 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 1ce6.c7c1.c803 (bia 1ce6.c7c1.c803)

SW1#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa1/0/1 1 1 1 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

So it now shows we have 1 Max, 1 Current, and 1 Sec Violation that is in Shutdown mode!

The “Secure MAC Address” table output:

SW1#sh port add
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 aaaa.aaaa.aaaa SecureConfigured Fa1/0/1 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

The two values I really want to point out is the SecureConfigured rather than seeing SecureDynamic (default), and the MAC address shown is the statically configured address rather than the actual devices MAC Address that cause the err-disable.

Now for the port security interface table:

SW1#sh port int fa1/0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001e.f797.f14b:1
Security Violation Count : 1

SW1#

I could about highlight all that output Blue for importance. It shows us the port is Secure-shutdown, the Violation mode indicates “Shutdown” as its action, the Max # and Configured # of MAC Addresses (statically set MAC Addys) are 1, but oddly it STILL shows the last Source Address / VLAN as the one that put it into err-disable!

That is what you call, a very important detail for exam day.

So I will keep the ball rolling by increasing the default maximum # of secure MAC addresses to keep the ball rolling here and see what happens!

Increasing the Max allowed Secure MAC Addresses to solve our problem

To see if it will allow the Dynamic (actual) MAC of the Host A to come in with the statically configured MAC, I issued the following:

SW1(config)#int fa1/0/1
SW1(config-if)#switchport port ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port max ?
<1-6144> Maximum addresses

SW1(config-if)#switchport port max 2 ?
vlan Max secure addresses per vlan
<cr>

SW1(config-if)#switchport port max 2
SW1(config-if)#shut
SW1(config-if)#
*Mar 1 00:48:44.201: %LINK-5-CHANGED: Interface FastEthernet1/0/1, changed state to administratively down
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 00:48:52.061: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
*Mar 1 00:48:53.085: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
SW1(config-if)#

Remember you have to shut / no shut to clear the err-disable (for now), and once it came back up I waited a couple minutes and no fireworks so lets verify!

Now to verify starting with “sh int fa1/0/1” :

SW1#sh int fa1/0/1
FastEthernet1/0/1 is up, line protocol is up (connected)

Looking good.

“sh port add” (Secure MAC Table) :

SW1#sh port add
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 001e.f797.f14b SecureDynamic Fa1/0/1 –
1 aaaa.aaaa.aaaa SecureConfigured Fa1/0/1 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

Co-existing in sweet harmony, can’t we all? Note that one is SecureDynamic, and the other is SecureConfigured, but they both are allowing to use the interface Fa1/0/1!

Now the “sh port” table to see if that violation cleared:

SW1#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa1/0/1 2 2 0 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

I won’t go crazy highlighted stuff, but we now see the Max / Current amount of MAC Address #’s is now 2, and clearing the err-disable mess actually turned the Violation count back to 0.

So an important note from this – If you have any # in that violation count other than 0, there is a problem on one of your switchports that is Port-Security related!

Onto verifying what we see with “sh port int fa1/0/1” :

SW1#sh port int fa1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001e.f797.f14b:1
Security Violation Count : 0

SW1#

So we see Secure-up which is good as Violation mode is Shutdown, Max and Total # MAC Addys again is 2, configured still shows as 1 (will always be however many are statically configured), and again the Last Source Address is the ARP we got from re-opening the port from Host A.

So now that we have beat that horse to death, lets take a look at sticky addresses!

Sticky MAC Address Configuration and Behaviors

So this time I’ll be working off port Fa1/0/2 with Host B, and configured the following:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fa1/0/2
SW1(config-if)#
SW1(config-if)#shut
SW1(config-if)#
*Mar 1 01:03:44.550: %LINK-5-CHANGED: Interface FastEthernet1/0/2, changed state to administratively down
*Mar 1 01:03:45.557: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port mac ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky

SW1(config-if)#switchport port mac sticky ?
<cr>

SW1(config-if)#switchport port mac sticky
SW1(config-if)#
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 01:06:15.067: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:06:16.074: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#

That is literally it for output, so we must be doing good, lets check it out:

“sh port” :

SW1#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa1/0/1 2 2 0 Shutdown
Fa1/0/2 1 1 0 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

Again sorry for the tables being all smashed together, but we can see that Fa1/0/2 has no security violations, and is living the good life it appears.

Check the Secure MAC Table:

SW1#sh port add
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 001e.f797.f14b SecureDynamic Fa1/0/1 –
1 aaaa.aaaa.aaaa SecureConfigured Fa1/0/1 –
1 001b.5336.f2cd SecureSticky Fa1/0/2 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

I feel like my switch is a carnival clown car, and all these different MAC Address types are piling out into my Secure MAC table!

Joking aside, its important to note that a sticky address will come into the table as SecureSticky and NOT SecureDynamic, SecureDynamic means it just learned it the plain ol every day way a swith maps a host to a port.

With sticky addresses, another thing to be aware of, they will survive a reload!

Wanted to yell that in Red, as I won’t do the whole reboot here to prove it, however I AM willing to unplug Host A from Fa1/0/1, and plug it now into Fa1/0/2 to cause some havoc!

Remember this sticky address for Host B is now learned and saved to config, so lets see what happens when Host A tries to plug into the port:

Unplugging Host B from Fa1/0/2:

SW1#
*Mar 1 01:12:46.354: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
*Mar 1 01:12:47.360: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down
SW1#

Plugging in Host A to Fa1/0/2:

SW1#
*Mar 1 01:14:07.388: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:14:08.394: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1#
*Mar 1 01:14:24.685: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/2, putting Fa1/0/2 in err-disable state
*Mar 1 01:14:24.693: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001e.f797.f14b on port FastEthernet1/0/2.
*Mar 1 01:14:25.700: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1#
*Mar 1 01:14:26.698: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down
SW1#

I highlighted in Green just to illustrate the Port-Security portion, the Port goes up fine, until it realizes its not fine then shuts that port back down.

Lets take a look at some verification to see how things look:

“sh int fa1/0/1” :

SW1#sh int fa1/0/2
FastEthernet1/0/2 is down, line protocol is down (err-disabled)

The dreaded err-disable strikes again.

“sh port” :

SW1#sh port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
—————————————————————————
Fa1/0/1 2 1 0 Shutdown
Fa1/0/2 1 1 1 Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

The Secure MAC Address table :

SW1#sh port add
Secure Mac Address Table
—————————————————————————–
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 aaaa.aaaa.aaaa SecureConfigured Fa1/0/1 –
1 001b.5336.f2cd SecureSticky Fa1/0/2 –
—————————————————————————–
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6144
SW1#

Two things to note here: The original sticky MAC (Host B’s) is still present, and Host A that was SecureDynamic disappeared once Host A was unplugged from Fa1/0/1.

“sh port int fa1/0/1” :

SW1#sh port int fa1/0/2
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 001e.f797.f14b:1
Security Violation Count : 1

SW1#

Note the port is in Secure-Shutdown, and it now shows Stick MAC / Security Violation #’s both are 1 right now (of course), but there is a more important take away to me:

Compare the Last Source Address:Vlan to the Sticky MAC in the “Secure MAC Table” and you can verify what device will be accepted on the port and what device attempted to use it – This is important to note different ways to verify things!

So what happens if I just plug Host B back into Fa1/0/2, can we all just get along again?

Absolutely not, the port MUST be cleared of that err-disable state, or it will stay in it as a sort of limbo state even when a cable is not detected:

Port_Sec_Sticky

Once that Sticky trust has been violated the port will need to be Shutdown, an allowed / secure device to be plugged in, and to be re-opened to allow it to come back Up:

SW1(config)#int fa1/0/2
SW1(config-if)#shut
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 01:29:01.269: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:29:02.276: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#

There will be no big parade that rolls out once you resolve the issue as can be seen, the port just won’t go back down in flames, I’ll spare all the verification output but to confirm on the interface we are back in business:

SW1#sh int fa1/0/2
FastEthernet1/0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 1ce6.c7c1.c804 (bia 1ce6.c7c1.c804)

So we are good to go!

Now for more of a discussion on aging than labbing it, section by section

We know from the last post, the default aging time is indefinite, and the do all rely on the “aging time #” to be set if not left at default.

That being said, lets look at options, option by option:

SW1(config-if)#switchport port ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

SW1(config-if)#switchport port aging ?
static Enable aging for configured secure addresses
time Port-security aging time
type Port-security aging type

Static aging:

SW1(config-if)#switchport port aging static ?
<cr>

This simply defines that a port is only secure as long as the timer is set to be.

The timer value:

SW1(config-if)#switchport port aging time ?
<1-1440> Aging time in minutes. Enter a value between 1 and 1440

THIS IS SETTING TIME LIMIT IN MINUTES, NOT SECONDS!

It is important to note that you are setting minutes here! Always use IOS help if you are not sure about the measurement you are adding to something!

This time value set here will affect both the Static option for Aging, as well as Inactivity.

Absolute and Inactivity:

SW1(config-if)#switchport port aging type ?
absolute Absolute aging (default)
inactivity Aging based on inactivity time period

I highlighted absolute because this is what the Default is, if you issue “switchport port-security aging type absolute” you are setting the timer for port security to default.

Inactivity on the other hand is as it sounds, if the port does not hear from the Secured MAC on that interface in the time value set (if one is manually configured) it will remove the Secure Address from the SecureAddress table if it SecureDynamic – Both Static and Sticky Port-Security Addresses will survive a reload.

How to dynamically recover err-disable Ports with Errdisable Recover!

This is the one part of Port-Security that is configured globally instead of per interface, and saves you the time of having to shut / no shut the interface to clear the err-disable.

There is a long list of option here when configuring, and verifying, so bare with me.

Configuration:

SW1(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value

SW1(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig (STP) Enable timer to recover from channel misconfig error
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
l2ptguard Enable timer to recover from l2protocol-tunnel error
link-flap Enable timer to recover from link-flap error
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change
failure
pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit
error
psecure-violation Enable timer to recover from psecure violation error
psp Enable timer to recover from psp
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch
error
small-frame Enable timer to recover from small frame error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
vmps Enable timer to recover from vmps shutdown error

SW1(config)#errdisable recovery cause psecure-violation ?
<cr>

I highlighted “All” for “Cause” as that would cover errdisable recovery or ANY scenario, but what we are working with here specifically is psecure-violation related issues.

Next we will set the interval for errdisable recovery to run (it is not instant):

SW1(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value

SW1(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)

SW1(config)#errdisable recovery interval 30 ?
<cr>

SW1(config)#errdisable recovery interval 30

So now that is set to recover errdisable interfaces for psecure-violations every 30 seconds, so to test this I again unplugged Host B from Fa1/0/2, and plugged in Host A:

SW1#
*Mar 1 01:02:30.412: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1#
*Mar 1 01:02:31.418: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1#
*Mar 1 01:02:44.815: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/2, putting Fa1/0/2 in err-disable state
*Mar 1 01:02:44.823: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001e.f797.f14b on port FastEthernet1/0/2.
*Mar 1 01:02:45.830: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1#
*Mar 1 01:02:46.828: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down
SW1#
*Mar 1 01:03:14.821: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa1/0/2
*Mar 1 01:03:18.495: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:03:19.502: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1#
*Mar 1 01:03:34.803: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa1/0/2, putting Fa1/0/2 in err-disable state
SW1#
*Mar 1 01:03:34.811: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001e.f797.f14b on port FastEthernet1/0/2.
*Mar 1 01:03:35.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1#
*Mar 1 01:03:36.816: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to down

Now what happened here, what that Errdisable Recovery was configured, but the issue was never corrected, so as soon as Errdisable Recovery did its job the port got shut back down due to Port-Security Violations.

I wanted to also review the command “sh errdisable recovery” quick here:

SW1#sh errdisable recovery
ErrDisable Reason Timer Status
—————– ————–
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
loopback Disabled
pagp-flap Disabled
port-mode-failure Disabled
pppoe-ia-rate-limit Disabled
psecure-violation Enabled
security-violation Disabled
sfp-config-mismatch Disabled
small-frame Disabled
storm-control Disabled
udld Disabled
vmps Disabled

Interface Errdisable reason Time left(sec)
——— —————– ————–
psp Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout:

Interface Errdisable reason Time left(sec)
——— —————– ————–
Fa1/0/2 psecure-violation 19

Excuse the formatting once again here.

Highlighted in all the things that can cause err-disable, this shows we have errdisable recovery on for only psecure-violation types, and at the very bottom it will tell you which interface is having issues / what type of issue / timer (in seconds) until it will attempt to recover again.

At this point I have Host B plugged back into Fa1/0/2, lets see what happens:

SW1#
*Mar 1 01:04:04.800: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa1/0/2
SW1#
*Mar 1 01:04:08.491: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:04:09.498: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1#

That is all the console output will show if your errdisable recovery works, the port will just show that it goes back to an Up status, and keep on trucking.

That is it for Port-Security / Errdisable Recovery!

If you feel I missed anything please let me know in the comments, otherwise it is on to the exciting world of dot1x Port authentication!