cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
0
Helpful
7
Replies

port-security not working as desired on 2950

jandebruyn1976
Level 1
Level 1

I've an environment without VoIP.

This is the reason why max MAC is 1 everywhere. Aging is not required because a user disconnection means a flush of the MAC.

I want some ports to have a static secure MAC address. If another user connects to this port, the port has to stay up but the packets should be dropped.> restricted mode

user ports following configuration

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

end

special ports:

switchport nonegotiate

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc

When I connect my pc the test MAC appears in the mac static table

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0015.62a2.fcc0 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

50 aaaa.bbbb.cccc STATIC Fa0/3

When I disconnect, the last entry disappears

Very strange...

show port-security interface fas0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address : 0021.709f.59b4

Security Violation Count : 350

>> security violation count increments.

But when connected I'm still able to ping the SVI ????? My laptop violates but is still able to ping> packets are not dropped??

show logging

b4 on port FastEthernet0/3.

000047: *Mar 1 01:07:29.999 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000048: *Mar 1 01:07:35.003 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000049: *Mar 1 01:07:40.007 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000050: *Mar 1 01:07:45.015 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

How can I avoid that when another device than the configured MAC is able to ping?

7 Replies 7

Davy Ad
Level 1
Level 1

Hi Jan ,

I think your Special port don't have MAX Mac configured and no , that is one of the reason .

HTH

DAK

Hi,

Yes I did

it doesn't show up because it's default

see also the output

Maximum MAC Addresses : 1

Could you please try to configured the Aging ,may be it could has effect on it?

I know you intentionally don't want to enable it.

Not applicable

problem solved:

configuration was ok ;)

I added another switch and configured there a SVI and then the result was satifying:

ping -t from my laptop

Request time-out

If I remove the static secure MAC

reply

If I wanted to add the secure MAC again :

Error, max MAC already reached

If I disconnected my laptop I was back able to add the secure MAC.

I had to ping a hop further

Hello ,

Please i would like to know what went wrong then.

Thanks

My setup

Laptop---------switch 10.0.0.2

10.0.0.1

ping -t 10.0.0.2

reply

Laptop----switch10.0.0.2-------switch10.0.03

ping -t 10.0.0.3

time-out

time-out

time-out

time-out

time-out

...

time-out

When I removed the secure mac from my port I received replies from 10.0.0.3

I did a continious ping

Probably packets sourced from another MAC are dropped when leaving the switch?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: