Port Security problem

wilson_1234_2 · ‎11-04-2007

I am experimenting with port security.

I have configured a particular port secveral different ways. I have removed and added security several times.

I have a workstation and phone on this port.

Now when I try to put the config back to the original security config, I keep getting violations and the port shuts down.

The violation is occuring from the workstation on the port that has always been there.

I can only get the port to come up when I remove the security components.

I have tried dynamic, sticky and statically adding the mac address. When I add the address statically I get "duplicate address found"

Is it possible that the port is retaining some security components even though I have removed them?

When I remove the components, the port does not show up when I do "sh port-sec"

shown is the config and log, this config should allow dynamic addresses, but the workstation is violating and shutting down the port:

interface FastEthernet3/34

description Network_Eng PC

switchport

switchport access vlan 40

switchport mode access

switchport voice vlan 250

switchport port security

switchport port-security maximum 3

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address sticky

no ip address

wrr-queue cos-map 1 1 1

wrr-queue cos-map 1 2 0

wrr-queue cos-map 2 1 2 3 4 6 7

wrr-queue cos-map 2 2 5

mls qos trust cos

spanning-tree portfast

Nov 4 09:18:32.010: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation

ccurred, caused by MAC address 0018.1234.4567 on port FastEthernet3/34.

Nov 4 09:18:32.010: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on

a3/34, putting Fa3/34 in err-disable state

Nov 4 09:18:41.498: %C6K_POWER-SP-4-PD_NOLINKUP: The device connected to 3/34

s powered up but its link is not up in 5 seconds. Therefore, power is withdrawn

from the port.

balajitvk · ‎11-04-2007

Hi,

Just check your show running & Show startup config whether any mac-address got sticked. Sticky option used to dynamically map the mac-address to the port and make entry on the running cofiguration and will be saved to start-up configuration whenever wr/copy run start is given

The enabling the port security feature with sticky option is not recommended on ports where voice vlan is enabled.

Rate if it does,

Rgs,

royalblues · ‎11-04-2007

Try rsetting the port to the default configuration before allplying any changes in terms of port security

(config)#default interface

After this apply the port security configs

HTH

Narayan

wilson_1234_2 · ‎11-04-2007

Thanks,

I have removed the security components completly and the port works fine.

I have done this several time to verify that everything is removed.

The command you have will put the port to the original config?

royalblues · ‎11-04-2007

yes the above command resets the port to the factory defaults.

I have had similar problems in the past and hence i always issue the above command before doing any configuration chnage involving port security

HTH

Narayan

wilson_1234_2 · ‎11-04-2007

As always thanks.

I have a question relating to port security:

When an IP Phone boots, it (mac address)first comes up in the data VLAN,

Then I see it (mac address)in the Voice vlan.

Why is it in the data vlan first?

royalblues · ‎11-04-2007

You talking about Cisco IP phone or Avaya /Nortel?

In case of cisco, the IP phone gets the voice vlan details due to CDP neighbor exchange.

As Avaya & nortel do not support CDP, they come up in the data vlan and the options mentioned in the DHCP scope tells the phone to request an ip in voice vlan

HTH

Narayan

wilson_1234_2 · ‎11-05-2007

This is a Cisco 7970 phone.

I can see the mac show up in the Data vlan, then in the voice vlan.

The phone holds two mac entries when configuring port security.