11-04-2007 05:44 AM - edited 03-03-2019 05:39 AM
I am experimenting with port security.
I have configured a particular port secveral different ways. I have removed and added security several times.
I have a workstation and phone on this port.
Now when I try to put the config back to the original security config, I keep getting violations and the port shuts down.
The violation is occuring from the workstation on the port that has always been there.
I can only get the port to come up when I remove the security components.
I have tried dynamic, sticky and statically adding the mac address. When I add the address statically I get "duplicate address found"
Is it possible that the port is retaining some security components even though I have removed them?
When I remove the components, the port does not show up when I do "sh port-sec"
shown is the config and log, this config should allow dynamic addresses, but the workstation is violating and shutting down the port:
interface FastEthernet3/34
description Network_Eng PC
switchport
switchport access vlan 40
switchport mode access
switchport voice vlan 250
switchport port security
switchport port-security maximum 3
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security mac-address sticky
no ip address
wrr-queue cos-map 1 1 1
wrr-queue cos-map 1 2 0
wrr-queue cos-map 2 1 2 3 4 6 7
wrr-queue cos-map 2 2 5
mls qos trust cos
spanning-tree portfast
Nov 4 09:18:32.010: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
ccurred, caused by MAC address 0018.1234.4567 on port FastEthernet3/34.
Nov 4 09:18:32.010: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on
a3/34, putting Fa3/34 in err-disable state
Nov 4 09:18:41.498: %C6K_POWER-SP-4-PD_NOLINKUP: The device connected to 3/34
s powered up but its link is not up in 5 seconds. Therefore, power is withdrawn
from the port.
11-04-2007 08:12 AM
Hi,
Just check your show running & Show startup config whether any mac-address got sticked. Sticky option used to dynamically map the mac-address to the port and make entry on the running cofiguration and will be saved to start-up configuration whenever wr/copy run start is given
The enabling the port security feature with sticky option is not recommended on ports where voice vlan is enabled.
Rate if it does,
Rgs,
11-04-2007 08:40 AM
Try rsetting the port to the default configuration before allplying any changes in terms of port security
(config)#default interface
After this apply the port security configs
HTH
Narayan
11-04-2007 08:57 AM
Thanks,
I have removed the security components completly and the port works fine.
I have done this several time to verify that everything is removed.
The command you have will put the port to the original config?
11-04-2007 09:08 AM
yes the above command resets the port to the factory defaults.
I have had similar problems in the past and hence i always issue the above command before doing any configuration chnage involving port security
HTH
Narayan
11-04-2007 09:20 AM
As always thanks.
I have a question relating to port security:
When an IP Phone boots, it (mac address)first comes up in the data VLAN,
Then I see it (mac address)in the Voice vlan.
Why is it in the data vlan first?
11-04-2007 09:56 PM
You talking about Cisco IP phone or Avaya /Nortel?
In case of cisco, the IP phone gets the voice vlan details due to CDP neighbor exchange.
As Avaya & nortel do not support CDP, they come up in the data vlan and the options mentioned in the DHCP scope tells the phone to request an ip in voice vlan
HTH
Narayan
11-05-2007 10:40 AM
This is a Cisco 7970 phone.
I can see the mac show up in the Data vlan, then in the voice vlan.
The phone holds two mac entries when configuring port security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide