cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2065
Views
0
Helpful
10
Replies

port-security issue

sdaniels44
Level 1
Level 1

I have a 2960 @ a remote site. I set the port-security as shown here (all interfaces are set the same except for the uplink):

interface FastEthernet0/5

switchport access vlan 100

switchport voice vlan 200

switchport port-security maximum 2

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

but when I

"show port-security interface fastEthernet 0/5"

I get output stating that port security is disabled

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

a "show IP interface brief" shows this port is up up.

any ideas?

1 Accepted Solution

Accepted Solutions

The command will change the port status from dynamic to static access.

The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.

HTH,

__

Edison.

View solution in original post

10 Replies 10

0r8it
Level 1
Level 1

Hi,

shouldn't you also specify a violation action to get this to work? Ie:

interface FastEthernet0/5

switchport port-security maximum 2

switch port-security violation shutdown

Try that, see what happens-

Gary

If I issue that command nothing shows up in the running config. I believe that shutdown is the default action. If I set the action to restrict, it does show up in the config, but still shows as disabled when a show port-security interface f0/5 is done.

Hmmm...I'll try this on a switch as soon as I can, get back to you.

Is it learning MAC addresses? Can you try and trip the violation?

Gary

It does not look like its learning addresses, a show port-security give the following output:

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8192

unfortunately I cannot test it because this is a live production switch in a different state.

Edison Ortiz
Hall of Fame
Hall of Fame

I don't see the command

switchport port-security

on that interface. You need that command in order to enable that service.

switchport port-security maximum 2 alone won't do it.

HTH,

__

Edison.

When I try to issue the command

"switchport port-security" alone I get the following output:

Command rejected: FastEthernet0/1 is a dynamic port.

Type the command:

switchport mode access

HTH,

__

Edison.

I see, my understanding of "switchport mode access" is that this will allow the inteface access to vlan 1(please educate me if I'm wrong), I am using 100 for data and 200 for voice. Will it cause a problem to issue that command in this scenario?

The command will change the port status from dynamic to static access.

The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.

HTH,

__

Edison.

This did the trick. Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco