Port Security violation still able to ping

Answered Question

I have set up port security on f0/11 with the following parameters:


SA(config)#int f0/11
SA(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

SA(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky

SA(config-if)#switchport port-security mac-address sticky
SA(config-if)#switchport port-security maximum 1
SA(config-if)#switchport port-security violation shutdown


I use the shutdown no shutdown for good measure. When I unplug the host machine from the port, and then plug in another host, the port is actually listed as shutdown due to a security violation; So, to this point, it would seem everything is working as we'd expect (as the following output confirms):


SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0


Why can I still ping with the new host plugged into the port?

Correct Answer by Jon Marshall about 7 years 3 months ago

s

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0


Why can I still ping with the new host plugged into the port?

Steve


It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 02/10/2010 - 15:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

s

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0


Why can I still ping with the new host plugged into the port?

Steve


It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?


Jon

Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands. ALthough I think you have found the problem --- is there any other reason it would be "disabled"?


interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport mode access
switchport port-security aging time 6
switchport port-security mac-address sticky
!

Jon Marshall Wed, 02/10/2010 - 16:01
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Steve


Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands


Good point, i forgot about that


Which switch and IOS version ?


Jon

Jon Marshall Wed, 02/10/2010 - 16:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Steve


No problem. I was just about to ask you to add that to the config but you beat me to it


Jon

It appears the "sticky" parameter is not adding MAC address to the secure MAC table:


SA#sh port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Actions

This Discussion