cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22852
Views
5
Helpful
12
Replies

Port-security issue on 4948 - cannot clear "secure-down" port status

cmanager
Level 1
Level 1

I have a problem on a port on my 4948.

It has the following configuration:

switchport access vlan 250

switchport mode access

switchport port-security maximum 3

switchport port-security

switchport port-security violation restrict

speed auto 10 100

spanning-tree portfast

spanning-tree bpduguard enable

port security as follows:

switch4948#show port-security int gi 1/17

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

It currently has no device connected on the port.

I have disabled and re-enable port security on the port, shut and no shut the port as well as running

"clear port-security dynamic interface gigabitEthernet 1/17"

Nothing seems to be able to clear the Port Status : Secure-down

IOS is cat4500-ipbasek9-mz.122-40.SG.bin

Any help is appreciated

12 Replies 12

drolemc
Level 6
Level 6

Use the following CLI commands to troubleshoot port security issues.

• show port-security status

• show port-security database vsan

• show port-security database active vsan

• show port-security violations

Those commands don't exist on this IOS. I only have:

show port-security ?

address Show secure address

interface Show secure interface

| Output modifiers

Show port-security:

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Gi1/1 3 0 0 Restrict

Gi1/2 3 0 0 Restrict

Gi1/3 3 1 0 Restrict

Gi1/4 3 0 0 Restrict

Gi1/5 3 1 0 Restrict

Gi1/6 3 1 0 Restrict

Gi1/7 3 0 0 Restrict

Gi1/8 3 0 0 Restrict

Gi1/9 3 0 0 Restrict

Gi1/10 3 1 0 Restrict

Gi1/11 3 0 0 Restrict

Gi1/12 3 1 0 Restrict

Gi1/13 3 1 0 Restrict

Gi1/14 3 0 0 Restrict

Gi1/15 3 0 0 Restrict

Gi1/16 3 1 0 Restrict

Gi1/17 3 0 0 Restrict

show port-security gi 1/17 output in first post.

Is there anyway to do this without reloading the switch? The environment is such that the switch cannot be reloaded.

bump

try to disable and re-enable port-security on int gi 1/17:

int gi 1/17

no switchport port-security

int gi 1/17

switchport port-security

in addition of what John said:

try the command:

default interface gig1/17

and then reconfigure the port and check if the problem re-occurs

Maybe it's normal behavior

it says secure down -> not secure shutdown. down because the port is down.

What happens if you connect a device to it?

edit:

My thoughts are confirmed by this link:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

Link explanation

If you check the default settings of the port (when nothing is connected and no port-security is configured

Cat3750#show port-security interface fastEthernet 1/0/2

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

Yor're correct Davy, thankyou.

However, my question now is as follows:

Given that

show port-security int gi 1/17

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

How come plugging a device (1 MAC) in this port immediately causes a violation when plugging the same device in the next port there is no problem??

show port-security int gi 1/18

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 3

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0020.aa0f.6458:250

Security Violation Count : 0

Thus if you connect the pc first to G1/18 and then to G1/17 you have a violation?

Are you directly connected via G1/18 or via a phone? (not according your output but maybe it's given just as example)

In the output above the security violation count is 0 for G1/17, and no MAC address has been seen yet. Are you sure the port comes up? Maybe you've a cable problem. Even if you cause a violation, the port should come up

Hope to help you

Please rate any posts that were helpfull ;-)

Correct. The server gets plugged straight into the switch and only 1 MAC is entered in the table. The ports have identical configurations and I have used the same cable infrastructure.

I initially plugged into gi1/17 (previously unused) but when it had this bizaire port-sercurity problem I moved to gi1/18 and it worked perfectly. If I plug another device into gi1/17 it works but if I plug the server on 1/18 into 1/17 it stops working.

I give up!

Administer a manual 'shut' followed by a 'no shut'. Do this once you remove port-security from the interface 'no port-sec'

Oxymoron42
Level 1
Level 1

If anyone still cares....I believe that you have just been "Cisco"ed. 

I tried to make my port fail to test port security by plugging in my laptop where I had something else plugged in before.  It failed, I removed the laptop.  Did the whole clearing procedure "no sw port", "shut", "no shut". "clear port-security sticky int fa0/12", etc, etc.  It still showed secure-down.  When I enabled "sw port", it showed up in "sho port-security" as a failure.  I disabled port security then reconnected the original cable but left port security off because I was afraid it would lock the port since it still showed secure-down.

Later I saved my running config to a temp file so I wasn't saving all the port security crap and reloaded the switch.  Still showed secure-down.

Then got the idea to put laptop MAC in "sw port mac", "sw port", plugged in laptop and it came up "secure-up" (may have plugged laptop in first, don't remember or care anymore).  Cleared the port out and put sticky back with original cable and enabled.  Works fine

If there is nothing plugged into the port or if port security is disabled it will show secure-down. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco