Port-security issue on 4948 - cannot clear "secure-down" port status

Unanswered Question
Mar 29th, 2009

I have a problem on a port on my 4948.

It has the following configuration:

switchport access vlan 250

switchport mode access

switchport port-security maximum 3

switchport port-security

switchport port-security violation restrict

speed auto 10 100

spanning-tree portfast

spanning-tree bpduguard enable

port security as follows:

switch4948#show port-security int gi 1/17

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

It currently has no device connected on the port.

I have disabled and re-enable port security on the port, shut and no shut the port as well as running

"clear port-security dynamic interface gigabitEthernet 1/17"

Nothing seems to be able to clear the Port Status : Secure-down

IOS is cat4500-ipbasek9-mz.122-40.SG.bin

Any help is appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
drolemc Fri, 04/03/2009 - 14:48

Use the following CLI commands to troubleshoot port security issues.

• show port-security status

• show port-security database vsan

• show port-security database active vsan

• show port-security violations

cmanager Sun, 04/05/2009 - 16:43

Those commands don't exist on this IOS. I only have:

show port-security ?

address Show secure address

interface Show secure interface

| Output modifiers

Show port-security:

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Gi1/1 3 0 0 Restrict

Gi1/2 3 0 0 Restrict

Gi1/3 3 1 0 Restrict

Gi1/4 3 0 0 Restrict

Gi1/5 3 1 0 Restrict

Gi1/6 3 1 0 Restrict

Gi1/7 3 0 0 Restrict

Gi1/8 3 0 0 Restrict

Gi1/9 3 0 0 Restrict

Gi1/10 3 1 0 Restrict

Gi1/11 3 0 0 Restrict

Gi1/12 3 1 0 Restrict

Gi1/13 3 1 0 Restrict

Gi1/14 3 0 0 Restrict

Gi1/15 3 0 0 Restrict

Gi1/16 3 1 0 Restrict

Gi1/17 3 0 0 Restrict

show port-security gi 1/17 output in first post.

cmanager Thu, 04/16/2009 - 16:00

Is there anyway to do this without reloading the switch? The environment is such that the switch cannot be reloaded.

johnlloyd_13 Mon, 04/27/2009 - 20:06

try to disable and re-enable port-security on int gi 1/17:

int gi 1/17

no switchport port-security

int gi 1/17

switchport port-security

davy.timmermans Mon, 04/27/2009 - 22:44

in addition of what John said:

try the command:

default interface gig1/17

and then reconfigure the port and check if the problem re-occurs

davy.timmermans Mon, 04/27/2009 - 22:48

Maybe it's normal behavior

it says secure down -> not secure shutdown. down because the port is down.

What happens if you connect a device to it?

edit:

My thoughts are confirmed by this link:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

Link explanation

If you check the default settings of the port (when nothing is connected and no port-security is configured

Cat3750#show port-security interface fastEthernet 1/0/2

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

cmanager Tue, 04/28/2009 - 17:48

Yor're correct Davy, thankyou.

However, my question now is as follows:

Given that

show port-security int gi 1/17

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

How come plugging a device (1 MAC) in this port immediately causes a violation when plugging the same device in the next port there is no problem??

show port-security int gi 1/18

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0020.aa0f.6458:250

Security Violation Count : 0

davy.timmermans Tue, 04/28/2009 - 22:22

Thus if you connect the pc first to G1/18 and then to G1/17 you have a violation?

Are you directly connected via G1/18 or via a phone? (not according your output but maybe it's given just as example)

In the output above the security violation count is 0 for G1/17, and no MAC address has been seen yet. Are you sure the port comes up? Maybe you've a cable problem. Even if you cause a violation, the port should come up

Hope to help you

Please rate any posts that were helpfull ;-)

cmanager Thu, 04/30/2009 - 21:00

Correct. The server gets plugged straight into the switch and only 1 MAC is entered in the table. The ports have identical configurations and I have used the same cable infrastructure.

I initially plugged into gi1/17 (previously unused) but when it had this bizaire port-sercurity problem I moved to gi1/18 and it worked perfectly. If I plug another device into gi1/17 it works but if I plug the server on 1/18 into 1/17 it stops working.

I give up!

devavratoka Sun, 05/15/2011 - 10:22

Administer a manual 'shut' followed by a 'no shut'. Do this once you remove port-security from the interface 'no port-sec'

Oxymoron42 Thu, 08/08/2013 - 23:52

If anyone still cares....I believe that you have just been "Cisco"ed. 

I tried to make my port fail to test port security by plugging in my laptop where I had something else plugged in before.  It failed, I removed the laptop.  Did the whole clearing procedure "no sw port", "shut", "no shut". "clear port-security sticky int fa0/12", etc, etc.  It still showed secure-down.  When I enabled "sw port", it showed up in "sho port-security" as a failure.  I disabled port security then reconnected the original cable but left port security off because I was afraid it would lock the port since it still showed secure-down.

Later I saved my running config to a temp file so I wasn't saving all the port security crap and reloaded the switch.  Still showed secure-down.

Then got the idea to put laptop MAC in "sw port mac", "sw port", plugged in laptop and it came up "secure-up" (may have plugged laptop in first, don't remember or care anymore).  Cleared the port out and put sticky back with original cable and enabled.  Works fine

If there is nothing plugged into the port or if port security is disabled it will show secure-down. 

Actions

Login or Register to take actions

This Discussion

Posted March 29, 2009 at 8:26 PM
Stats:
Replies:12 Avg. Rating:5
Views:7899 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
69
65
55