Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

port-security issue

I have a 2960 @ a remote site. I set the port-security as shown here (all interfaces are set the same except for the uplink):

interface FastEthernet0/5

switchport access vlan 100

switchport voice vlan 200

switchport port-security maximum 2

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

but when I

"show port-security interface fastEthernet 0/5"

I get output stating that port security is disabled

Port Security : Disabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

a "show IP interface brief" shows this port is up up.

any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: port-security issue

The command will change the port status from dynamic to static access.

The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.

HTH,

__

Edison.

10 REPLIES
Community Member

Re: port-security issue

Hi,

shouldn't you also specify a violation action to get this to work? Ie:

interface FastEthernet0/5

switchport port-security maximum 2

switch port-security violation shutdown

Try that, see what happens-

Gary

Community Member

Re: port-security issue

If I issue that command nothing shows up in the running config. I believe that shutdown is the default action. If I set the action to restrict, it does show up in the config, but still shows as disabled when a show port-security interface f0/5 is done.

Community Member

Re: port-security issue

Hmmm...I'll try this on a switch as soon as I can, get back to you.

Is it learning MAC addresses? Can you try and trip the violation?

Gary

Community Member

Re: port-security issue

It does not look like its learning addresses, a show port-security give the following output:

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 8192

unfortunately I cannot test it because this is a live production switch in a different state.

Hall of Fame Super Bronze

Re: port-security issue

I don't see the command

switchport port-security

on that interface. You need that command in order to enable that service.

switchport port-security maximum 2 alone won't do it.

HTH,

__

Edison.

Community Member

Re: port-security issue

When I try to issue the command

"switchport port-security" alone I get the following output:

Command rejected: FastEthernet0/1 is a dynamic port.

Hall of Fame Super Bronze

Re: port-security issue

Type the command:

switchport mode access

HTH,

__

Edison.

Community Member

Re: port-security issue

I see, my understanding of "switchport mode access" is that this will allow the inteface access to vlan 1(please educate me if I'm wrong), I am using 100 for data and 200 for voice. Will it cause a problem to issue that command in this scenario?

Hall of Fame Super Bronze

Re: port-security issue

The command will change the port status from dynamic to static access.

The Access Vlan does not necessarily place the switchport in Vlan 1. If you have a Vlan membership in the switchport, it will use that Vlan.

HTH,

__

Edison.

Community Member

Re: port-security issue

This did the trick. Thanks for your help.

391
Views
0
Helpful
10
Replies
CreatePlease to create content