02-10-2010 03:41 PM - edited 03-06-2019 09:40 AM
I have set up port security on f0/11 with the following parameters:
SA(config)#int f0/11
SA(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
SA(config-if)#switchport port-security mac-address ?
H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
SA(config-if)#switchport port-security mac-address sticky
SA(config-if)#switchport port-security maximum 1
SA(config-if)#switchport port-security violation shutdown
I use the shutdown no shutdown for good measure. When I unplug the host machine from the port, and then plug in another host, the port is actually listed as shutdown due to a security violation; So, to this point, it would seem everything is working as we'd expect (as the following output confirms):
SA#sh port-security int f0/11
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 6 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0
Why can I still ping with the new host plugged into the port?
Solved! Go to Solution.
02-10-2010 03:49 PM
SA#sh port-security int f0/11
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 6 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0Why can I still ping with the new host plugged into the port?
Steve
It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?
Jon
02-10-2010 03:49 PM
SA#sh port-security int f0/11
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 6 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0Why can I still ping with the new host plugged into the port?
Steve
It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?
Jon
02-10-2010 03:54 PM
Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands. ALthough I think you have found the problem --- is there any other reason it would be "disabled"?
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport mode access
switchport port-security aging time 6
switchport port-security mac-address sticky
!
02-10-2010 04:01 PM
Steve
Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands
Good point, i forgot about that
Which switch and IOS version ?
Jon
02-10-2010 04:02 PM
Thanks Jon --- I needed to also run the basic command to enable port-security:
SA(config-if)#switchport port-security
I was thinking the config commands enabled it. It works fine now, thanks again. Steve
02-10-2010 04:05 PM
Steve
No problem. I was just about to ask you to add that to the config but you beat me to it
Jon
02-10-2010 03:50 PM
It appears the "sticky" parameter is not adding MAC address to the secure MAC table:
SA#sh port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: