Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1167
Views
9
Helpful
7
Replies

SWITCHPORT SECURITY ISSUE

Go to solution
swamy105
Level 1
Level 1

‎02-20-2007 03:18 AM - edited ‎03-05-2019 02:28 PM

My company is have 3550 switch with IOS 12.2 SEB Version.. no other configuraiton are there... I want enable switch port security on 3 port?

The follwing command is submited on port

int fas0/18

switchport mode access

switchport port-security

switchport port-security maximum 1

exit

This command is not working

it is permitting more than one mac-address

what could be the problem.. Any one can help me in this regard.. I am just completed my CCNA?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
rolf.fischer_2
Level 1
Level 1
In response to rolf.fischer_2

‎02-20-2007 07:14 AM

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

View solution in original post

0 Helpful

Go to solution
hoogen_82
Level 4
Level 4
In response to rolf.fischer_2

‎02-20-2007 10:20 AM

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

View solution in original post

Go to solution
kyawzawhtut
Level 1
Level 1

‎02-20-2007 10:38 PM

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

View solution in original post

0 Helpful
7 Replies 7

Go to solution
rolf.fischer_2
Level 1
Level 1

‎02-20-2007 04:50 AM

Try to configure a optional violation-command:

switchport port-security violation shutdown

What about the "show port-security interface fa0/3" command output?

0 Helpful

Go to solution
swamy105
Level 1
Level 1
In response to rolf.fischer_2

‎02-20-2007 05:10 AM

That same switchport security-violation shutdown

command I tried that option also.. still if disconnect and hook the other machine it is still reading.. and port not shut down.

show command indicate that port is secure.

by permanant

0 Helpful

Go to solution
rolf.fischer_2
Level 1
Level 1
In response to swamy105

‎02-20-2007 05:20 AM

I'm not sure if I understood you right.

You have 2 PCs connected to Fa0/3 AT THE SAME TIME (via Hub/Switch), right?

And port-security doesn't shutdown Fa0/3?

Strange...

Could you post the output of the show-command?

0 Helpful

Go to solution
rolf.fischer_2
Level 1
Level 1
In response to rolf.fischer_2

‎02-20-2007 07:14 AM

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

0 Helpful

Go to solution
hoogen_82
Level 4
Level 4
In response to rolf.fischer_2

‎02-20-2007 10:20 AM

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

Go to solution
bogdan.sass
Level 1
Level 1

‎02-20-2007 10:53 AM

If I recall correctly, when an interface goes down, the switch clears all MAC addresses learned on that interface. In your case, as soon as you unplug the first PC, the dynamically learned MAC address is cleared from the switch table. You plug in the other one, and the new MAC is learned without triggering the port security.

If you only want a particular PC to connect to that port, use the mac-address sticky command to configure a static MAC on that interface.

Go to solution
kyawzawhtut
Level 1
Level 1

‎02-20-2007 10:38 PM

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card