port-security issue

Answered Question
May 6th, 2008
User Badges:

I have a 2960 @ a remote site. I set the port-security as shown here (all interfaces are set the same except for the uplink):


interface FastEthernet0/5

switchport access vlan 100

switchport voice vlan 200

switchport port-security maximum 2

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast



but when I

"show port-security interface fastEthernet 0/5"


I get output stating that port security is disabled


Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0



a "show IP interface brief" shows this port is up up.


any ideas?

Correct Answer by Edison Ortiz about 9 years 2 months ago

The command will change the port status from dynamic to static access.


The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.


HTH,


__


Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
0r8it Tue, 05/06/2008 - 07:24
User Badges:

Hi,


shouldn't you also specify a violation action to get this to work? Ie:


interface FastEthernet0/5

switchport port-security maximum 2

switch port-security violation shutdown


Try that, see what happens-


Gary



sdaniels44 Tue, 05/06/2008 - 07:30
User Badges:

If I issue that command nothing shows up in the running config. I believe that shutdown is the default action. If I set the action to restrict, it does show up in the config, but still shows as disabled when a show port-security interface f0/5 is done.

0r8it Tue, 05/06/2008 - 07:41
User Badges:

Hmmm...I'll try this on a switch as soon as I can, get back to you.


Is it learning MAC addresses? Can you try and trip the violation?


Gary

sdaniels44 Tue, 05/06/2008 - 07:44
User Badges:

It does not look like its learning addresses, a show port-security give the following output:


Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8192



unfortunately I cannot test it because this is a live production switch in a different state.

Edison Ortiz Tue, 05/06/2008 - 07:45
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I don't see the command


switchport port-security


on that interface. You need that command in order to enable that service.

switchport port-security maximum 2 alone won't do it.


HTH,


__


Edison.

sdaniels44 Tue, 05/06/2008 - 07:48
User Badges:

When I try to issue the command

"switchport port-security" alone I get the following output:


Command rejected: FastEthernet0/1 is a dynamic port.

Edison Ortiz Tue, 05/06/2008 - 07:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Type the command:


switchport mode access


HTH,


__


Edison.

sdaniels44 Tue, 05/06/2008 - 07:55
User Badges:

I see, my understanding of "switchport mode access" is that this will allow the inteface access to vlan 1(please educate me if I'm wrong), I am using 100 for data and 200 for voice. Will it cause a problem to issue that command in this scenario?

Correct Answer
Edison Ortiz Tue, 05/06/2008 - 08:38
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The command will change the port status from dynamic to static access.


The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.


HTH,


__


Edison.

Actions

This Discussion