Port Security problem

Unanswered Question
Nov 4th, 2007

I am experimenting with port security.

I have configured a particular port secveral different ways. I have removed and added security several times.

I have a workstation and phone on this port.

Now when I try to put the config back to the original security config, I keep getting violations and the port shuts down.

The violation is occuring from the workstation on the port that has always been there.

I can only get the port to come up when I remove the security components.

I have tried dynamic, sticky and statically adding the mac address. When I add the address statically I get "duplicate address found"

Is it possible that the port is retaining some security components even though I have removed them?

When I remove the components, the port does not show up when I do "sh port-sec"

shown is the config and log, this config should allow dynamic addresses, but the workstation is violating and shutting down the port:

interface FastEthernet3/34

description Network_Eng PC


switchport access vlan 40

switchport mode access

switchport voice vlan 250

switchport port security

switchport port-security maximum 3

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address sticky

no ip address

wrr-queue cos-map 1 1 1

wrr-queue cos-map 1 2 0

wrr-queue cos-map 2 1 2 3 4 6 7

wrr-queue cos-map 2 2 5

mls qos trust cos

spanning-tree portfast

Nov 4 09:18:32.010: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation

ccurred, caused by MAC address 0018.1234.4567 on port FastEthernet3/34.

Nov 4 09:18:32.010: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on

a3/34, putting Fa3/34 in err-disable state

Nov 4 09:18:41.498: %C6K_POWER-SP-4-PD_NOLINKUP: The device connected to 3/34

s powered up but its link is not up in 5 seconds. Therefore, power is withdrawn

from the port.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
balajitvk Sun, 11/04/2007 - 08:12


Just check your show running & Show startup config whether any mac-address got sticked. Sticky option used to dynamically map the mac-address to the port and make entry on the running cofiguration and will be saved to start-up configuration whenever wr/copy run start is given

The enabling the port security feature with sticky option is not recommended on ports where voice vlan is enabled.

Rate if it does,


royalblues Sun, 11/04/2007 - 08:40

Try rsetting the port to the default configuration before allplying any changes in terms of port security

(config)#default interface

After this apply the port security configs



wilson_1234_2 Sun, 11/04/2007 - 08:57


I have removed the security components completly and the port works fine.

I have done this several time to verify that everything is removed.

The command you have will put the port to the original config?

royalblues Sun, 11/04/2007 - 09:08

yes the above command resets the port to the factory defaults.

I have had similar problems in the past and hence i always issue the above command before doing any configuration chnage involving port security



wilson_1234_2 Sun, 11/04/2007 - 09:20

As always thanks.

I have a question relating to port security:

When an IP Phone boots, it (mac address)first comes up in the data VLAN,

Then I see it (mac address)in the Voice vlan.

Why is it in the data vlan first?

royalblues Sun, 11/04/2007 - 21:56

You talking about Cisco IP phone or Avaya /Nortel?

In case of cisco, the IP phone gets the voice vlan details due to CDP neighbor exchange.

As Avaya & nortel do not support CDP, they come up in the data vlan and the options mentioned in the DHCP scope tells the phone to request an ip in voice vlan



wilson_1234_2 Mon, 11/05/2007 - 10:40

This is a Cisco 7970 phone.

I can see the mac show up in the Data vlan, then in the voice vlan.

The phone holds two mac entries when configuring port security.


This Discussion