Port-Security (Mac-Address Filtering)

Port-Security is fundamentally great to implement, especially since this command supports both static (Sticky) and dynamic mac-address filtering.

Basic configuration:

##Open Interface##
(config)#int e0/2

##Enable Port-Security##
(config-if)#switchport port-security

##Allow a specific mac-address##
(config-if)#switchport port-security mac-address aabb.ccdd.eeff

##Only Allow a single mac-address##
(config-if)#switchport port-security maximum 1

##If policy is violated, err-disable port##
(config-if)#switchport port-security violation shutdown

Verify configuration on the interface:

#show port-security interface e0/2
Sw1#sh port-security int e0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aabb.ccdd.eeff:10
Security Violation Count   : 0

View from both devices:

Once the Router (R1) changes it’s mac-address, it will err-disable the Switchport from Sw1. 

R1(config)#interface e0/0
R1(config-if)#mac-address aabb.ccff.eeff
*Jul  6 17:14:56.613: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/2, putting Et0/2 in err-disabl
e state
*Jul  6 17:14:56.613: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aa
bb.ccff.eeff on port Ethernet0/2.
*Jul  6 17:14:57.621: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
*Jul  6 17:14:58.617: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to down

To fix the err-disable, you will want to put the original MAC-address back on R1 or add the new mac-address to the port-security interface. Then, you will want to cycle the switchport. (shut/no shut) – verify w/ ping. 

If you want/need to save the mac-address that was learned after a reboot, you will need to use this: 

(config)#int e0/2
(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff

If you get an error, perform this first, to remove any previously set mac-address:

(config-if)#no switchport port-security mac-address aabb.ccdd.eeff 

##followed by: 

(config-if)#switchport port-security mac-address sticky aabb.ccdd.eeff

VLAN & VTP Basics

Creating VLANs is an easy task, but you may run into issues with the VLANs populating between the other access switches (VTP : Client).

Option One (used to create the VLAN)

**Option One**
(config)#vlan 10
(config-vlan)#name SALES


**Option Two** 
(config)#interface vlan 10
(config-if)#description SALES
(config-if)#ip address a.b.c.d x.x.x.x

Option two allows you to set a static interface for IP routing. 

For EXTENDED VLANs(1006-4096), VTP mode must be in Transparent. Server mode should throw errors, probably not in IOL devices.

(config)#vtp mode transparent

By default all cisco catalysts come preconfigured with VTP server mode. You will need to change this on all access switches not serving vlans. First,

(config)#vtp mode Server
(config)#vtp mode Transparent
(config)#vtp mode Client

then, set the domain

(config)#vtp domain CISCO

This will put the switch in client mode and on the same domain as the VTP server. Allowing it to accept VLAN configs from the core or Firewall. If you run into an MD5 digest checksum mismatch error, you may need to change the password on all devices in the same domain that need VTP configs, like this: 

(config)#vtp password cisco

You will then want to issue the below command to show the current status: 

#show vtp status
Sw1>sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.1200
Configuration last modified by at 7-5-19 23:13:37
Local updater ID is (no valid interface found)

Feature VLAN:
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 0
MD5 digest                        : 0x87 0x6A 0xFA 0xCB 0xD3 0x27 0xDF 0x0C
                                    0x04 0xF4 0x94 0x8E 0x18 0xEA 0xE9 0x84

Cisco Certification rebuild!

It’s official! Cisco has finally decided to do a complete rebuild of their certificate program.

Check out the famous network blog by Kevin Wallace: https://www.kwtrain.com/blog/certupdate?cid=98b3de66-d267-46fd-b804-d5824a287ea8&fbclid=IwAR1Be9O8nZcTTXMyd6FsH-O30USC09wTzB03rAuDHhKO3HJzv3QSkHGFxfQ

This is all the information we have right now, but stay tuned and keep learning!