SWITCHPORT SECURITY ISSUE

Answered Question
Feb 20th, 2007

My company is have 3550 switch with IOS 12.2 SEB Version.. no other configuraiton are there... I want enable switch port security on 3 port?

The follwing command is submited on port

int fas0/18

switchport mode access

switchport port-security

switchport port-security maximum 1

exit

This command is not working

it is permitting more than one mac-address

what could be the problem.. Any one can help me in this regard.. I am just completed my CCNA?

I have this problem too.
0 votes
Correct Answer by kyawzawhtut about 9 years 7 months ago

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

Correct Answer by hoogen_82 about 9 years 7 months ago

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

Correct Answer by Rolf Fischer about 9 years 7 months ago

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
Rolf Fischer Tue, 02/20/2007 - 04:50

Try to configure a optional violation-command:

switchport port-security violation shutdown

What about the "show port-security interface fa0/3" command output?

swamy105 Tue, 02/20/2007 - 05:10

That same switchport security-violation shutdown

command I tried that option also.. still if disconnect and hook the other machine it is still reading.. and port not shut down.

show command indicate that port is secure.

by permanant

Rolf Fischer Tue, 02/20/2007 - 05:20

I'm not sure if I understood you right.

You have 2 PCs connected to Fa0/3 AT THE SAME TIME (via Hub/Switch), right?

And port-security doesn't shutdown Fa0/3?

Strange...

Could you post the output of the show-command?

Correct Answer
Rolf Fischer Tue, 02/20/2007 - 07:14

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

Correct Answer
hoogen_82 Tue, 02/20/2007 - 10:20

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

bogdan.sass Tue, 02/20/2007 - 10:53

If I recall correctly, when an interface goes down, the switch clears all MAC addresses learned on that interface. In your case, as soon as you unplug the first PC, the dynamically learned MAC address is cleared from the switch table. You plug in the other one, and the new MAC is learned without triggering the port security.

If you only want a particular PC to connect to that port, use the mac-address sticky command to configure a static MAC on that interface.

Correct Answer
kyawzawhtut Tue, 02/20/2007 - 22:38

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

Actions

This Discussion