port-security issue

Answered Question
May 6th, 2008

I have a 2960 @ a remote site. I set the port-security as shown here (all interfaces are set the same except for the uplink):


interface FastEthernet0/5

switchport access vlan 100

switchport voice vlan 200

switchport port-security maximum 2

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast



but when I

"show port-security interface fastEthernet 0/5"


I get output stating that port security is disabled


Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0



a "show IP interface brief" shows this port is up up.


any ideas?

Correct Answer by Edison Ortiz about 8 years 9 months ago

The command will change the port status from dynamic to static access.


The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.


HTH,


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
0r8it Tue, 05/06/2008 - 07:24

Hi,


shouldn't you also specify a violation action to get this to work? Ie:


interface FastEthernet0/5

switchport port-security maximum 2

switch port-security violation shutdown


Try that, see what happens-


Gary



sdaniels44 Tue, 05/06/2008 - 07:30

If I issue that command nothing shows up in the running config. I believe that shutdown is the default action. If I set the action to restrict, it does show up in the config, but still shows as disabled when a show port-security interface f0/5 is done.

0r8it Tue, 05/06/2008 - 07:41

Hmmm...I'll try this on a switch as soon as I can, get back to you.


Is it learning MAC addresses? Can you try and trip the violation?


Gary

sdaniels44 Tue, 05/06/2008 - 07:44

It does not look like its learning addresses, a show port-security give the following output:


Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8192



unfortunately I cannot test it because this is a live production switch in a different state.

Edison Ortiz Tue, 05/06/2008 - 07:45

I don't see the command


switchport port-security


on that interface. You need that command in order to enable that service.

switchport port-security maximum 2 alone won't do it.


HTH,


__


Edison.

sdaniels44 Tue, 05/06/2008 - 07:48

When I try to issue the command

"switchport port-security" alone I get the following output:


Command rejected: FastEthernet0/1 is a dynamic port.

sdaniels44 Tue, 05/06/2008 - 07:55

I see, my understanding of "switchport mode access" is that this will allow the inteface access to vlan 1(please educate me if I'm wrong), I am using 100 for data and 200 for voice. Will it cause a problem to issue that command in this scenario?

Correct Answer
Edison Ortiz Tue, 05/06/2008 - 08:38

The command will change the port status from dynamic to static access.


The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.


HTH,


__


Edison.

Actions

This Discussion