Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
0
Helpful
6
Replies

Port Security violation still able to ping

Go to solution
stevec90
Level 1
Level 1

‎02-10-2010 03:41 PM - edited ‎03-06-2019 09:40 AM

I have set up port security on f0/11 with the following parameters:

SA(config)#int f0/11
SA(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

SA(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky

SA(config-if)#switchport port-security mac-address sticky
SA(config-if)#switchport port-security maximum 1
SA(config-if)#switchport port-security violation shutdown

I use the shutdown no shutdown for good measure. When I unplug the host machine from the port, and then plug in another host, the port is actually listed as shutdown due to a security violation; So, to this point, it would seem everything is working as we'd expect (as the following output confirms):

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

Why can I still ping with the new host plugged into the port?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-10-2010 03:49 PM 

s
SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0
Why can I still ping with the new host plugged into the port?

Steve

It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-10-2010 03:49 PM 

s
SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0
Why can I still ping with the new host plugged into the port?

Steve

It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?

Jon

0 Helpful

Go to solution
stevec90
Level 1
Level 1
In response to Jon Marshall

‎02-10-2010 03:54 PM

Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands. ALthough I think you have found the problem --- is there any other reason it would be "disabled"?

interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport mode access
switchport port-security aging time 6
switchport port-security mac-address sticky
!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to stevec90

‎02-10-2010 04:01 PM

Steve

Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands

Good point, i forgot about that

Which switch and IOS version ?

Jon

0 Helpful

Go to solution
stevec90
Level 1
Level 1
In response to Jon Marshall

‎02-10-2010 04:02 PM

Thanks Jon --- I needed to also run the basic command to enable port-security:

SA(config-if)#switchport port-security

I was thinking the config commands enabled it. It works fine now, thanks again. Steve

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to stevec90

‎02-10-2010 04:05 PM

Steve

No problem. I was just about to ask you to add that to the config but you beat me to it

Jon

0 Helpful

Go to solution
stevec90
Level 1
Level 1

‎02-10-2010 03:50 PM

It appears the "sticky" parameter is not adding MAC address to the secure MAC table:

SA#sh port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card