This article provides a demonstration to show changes with the default port security settings on the Cisco Business 250 and 350 Switches starting with firmware version 3.1.
Applicable Devices | Firmware Version
It is important to run the latest version of firmware when a new release comes out. In Spring of 2021, firmware version 3.1 for CBS 250 and 350 switches was released, changing the Port Security default behavior. These changes were made to improve endpoint security. Check out the demonstration to learn more.
Port Security Default Behavior Demonstration (Firmware version 3.1)
In this demonstration, Port Security is enabled on the GE2 interface of a Cisco Business 350 switch upgraded to firmware version 3.1. We will move a PC connected at switch port 2 (GE2) to switch port 4 (GE4) and observe the default behavior of Port Security.
First, we navigate to Port Management > Port Settings and verify the PC is connected on switch port 2 (GE2) and the Operational Status of the port is showing Up.
Next, we navigate to MAC Address Tables > Dynamic Addresses and verify the MAC address of the PC associated to switch port 2 (GE2).
We navigate to the Security menu, select switch port 2 (GE2), and click on the edit icon. We enable the Lock option beside Interface Status. Learning Mode will be shown as Classic Lock. We leave Action on Violation as Discard and click Apply.
A success notification will appear on the screen, so we click Close.
The GE2 Interface Status will show as Locked.
We navigate to MAC Address Tables > Static Addresses. The PC MAC address associated with the GE2 interface will be reflected under the Static Addresses table.
We will move the PC from switch port 2 (GE2) to switch port 4 (GE4) and make sure the Operational Status of the GE4 interface shows Up.
We navigate to MAC Address Tables > Static Addresses. The PC MAC address associated with the GE2 interface will still appear under the Static Addresses table.
We navigate to MAC Address Tables > Dynamic Addresses. The PC (MAC address 3c:07:54:75:b2:1d) is connected to the GE4 interface. Even though the GE4 interface Operational Status is Up, the PC will be not able to get a Dynamic Host Configuration Protocol (DHCP) IP address. From the Dynamic Address Table, we can verify the same.
The PC (MAC address 3c:07:54:75:b2:1d) will only get a DHCP IP address when it is connected to the GE2 interface because the Static Address Table shows that MAC address binding with the GE2 interface. If we want to remove the PC MAC address from the GE2 interface so we can use it on another port, we need to unlock the port by following the optional steps that follow.
Step 10 (Optional)
We uncheck the Lock radio button and click Apply.
Step 11 (Optional)
The Interface Status will now show as unlocked.
Finally, we click the save icon to permanently save the configuration.
There you go, now you know the new port security default behavior from firmware version 3.1 and beyond!
Looking for more articles on your CBS250 or CBS350 switch? Check out any of the links below for more information!