02-20-2007 03:18 AM - edited 03-05-2019 02:28 PM
My company is have 3550 switch with IOS 12.2 SEB Version.. no other configuraiton are there... I want enable switch port security on 3 port?
The follwing command is submited on port
int fas0/18
switchport mode access
switchport port-security
switchport port-security maximum 1
exit
This command is not working
it is permitting more than one mac-address
what could be the problem.. Any one can help me in this regard.. I am just completed my CCNA?
Solved! Go to Solution.
02-20-2007 07:14 AM
I gave your configuration a try on a Catalyst 3550 and it worked fine:
Switch#show port-security interface fa0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00d0.59c0.94bb:1
Security Violation Count : 0
00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state
00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.
00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Switch#show port-security interface fa0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.8048.0d01:1
Security Violation Count : 1
Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.
02-20-2007 10:20 AM
Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.
But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000
Where the Mac address is that of the only PC you want to connect.
HTH
Hoogen
Do rate if this helps :)
02-20-2007 10:38 PM
Hi
According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.
If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.
Hope that clear everyone doubt. Please rate if helped!
Cheers
Joe
02-20-2007 04:50 AM
Try to configure a optional violation-command:
switchport port-security violation shutdown
What about the "show port-security interface fa0/3" command output?
02-20-2007 05:10 AM
That same switchport security-violation shutdown
command I tried that option also.. still if disconnect and hook the other machine it is still reading.. and port not shut down.
show command indicate that port is secure.
by permanant
02-20-2007 05:20 AM
I'm not sure if I understood you right.
You have 2 PCs connected to Fa0/3 AT THE SAME TIME (via Hub/Switch), right?
And port-security doesn't shutdown Fa0/3?
Strange...
Could you post the output of the show-command?
02-20-2007 07:14 AM
I gave your configuration a try on a Catalyst 3550 and it worked fine:
Switch#show port-security interface fa0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00d0.59c0.94bb:1
Security Violation Count : 0
00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state
00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.
00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Switch#show port-security interface fa0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.8048.0d01:1
Security Violation Count : 1
Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.
02-20-2007 10:20 AM
Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.
But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000
Where the Mac address is that of the only PC you want to connect.
HTH
Hoogen
Do rate if this helps :)
02-20-2007 10:53 AM
If I recall correctly, when an interface goes down, the switch clears all MAC addresses learned on that interface. In your case, as soon as you unplug the first PC, the dynamically learned MAC address is cleared from the switch table. You plug in the other one, and the new MAC is learned without triggering the port security.
If you only want a particular PC to connect to that port, use the mac-address sticky command to configure a static MAC on that interface.
02-20-2007 10:38 PM
Hi
According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.
If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.
Hope that clear everyone doubt. Please rate if helped!
Cheers
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide