Port Security

Unanswered Question
Nov 30th, 2007

I saw a problem yesterday that i need an answer for.

port security was placed on a switch in my office,and my dhcp server was not giving out anymore ip addresses. I had a bunch of computers that could not access the network.

I had a bunch of ports that were in a shutdown state so when i went to clear port security on the port it did clear but with in a few min the port went in to a shutdown state.

if a computer was not getting an ip address will the port go into a shutdown state?

Are the two things related?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 11/30/2007 - 06:15

what kind of port security? do you have the config? was dhcp snooping enabled?

ctopkelly Fri, 11/30/2007 - 06:27

Just reg port security. i cant post the config

how would you tell if DHCP snooping was enabled?

jeremyault Fri, 11/30/2007 - 08:23

To answer your question -- NO. Not getting an IP address will not cause the port to shut down.

The port security feature is used to limit access either to a specific MAC address or to a specific maximum number of MAC addresses.

If the preset maximum number has been exceeded -- or the the MAC address is not a member of the secure addresses you specify, a security violation is noted and the configured action is taken (protect, restrict, or shutdown). The default is to shut down the port -- and that's the problem you are seeing.

Now for an example. The following configuration will look at the source MAC address of the first frame that comes in on the port and start the timer for 1 minute (each subsequent frame from that MAC restarts the timer). If any frames enter the port from any other MAC within the 1 minute time period, the port will be shut down.

switchport port-security maximum 1

switchport port-security aging 1

switchport port-security violation shutdown

Some suggestions.. First, set the violation to protect which will not shut the port but will simply discard traffic from the disallowed MAC address.

Second, if you know the device connected to the port, you can specify its MAC address using the "switchport port-security mac-address XXXXXXXX" command. Or, if you don't know what the MAC is but want to permanently allow only the first mac that enters the port use the "switchport port-security mac-address sticky" command with the violate to restrict.

Does that help?


This Discussion