Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Security violation still able to ping

I have set up port security on f0/11 with the following parameters:

SA(config)#int f0/11
SA(config-if)#switchport port-security ?
  aging        Port-security aging commands
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

SA(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address
  sticky  Configure dynamic secure addresses as sticky

SA(config-if)#switchport port-security mac-address sticky
SA(config-if)#switchport port-security maximum 1
SA(config-if)#switchport port-security violation shutdown

I use the shutdown no shutdown for good measure. When I unplug the host machine from the port, and then plug in another host, the port is actually listed as shutdown due to a security violation; So, to this point, it would seem everything is working as we'd expect (as the following output confirms):

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

Why can I still ping with the new host plugged into the port?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Port Security violation still able to ping

s

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

Why can I still ping with the new host plugged into the port?

Steve

It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?

Jon

6 REPLIES
Hall of Fame Super Blue

Re: Port Security violation still able to ping

s

SA#sh port-security int f0/11
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 6 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

Why can I still ping with the new host plugged into the port?

Steve

It's actually saying port-security is disabled in the first line. Under fa0/11 have you configured "switchport mode access" assuming it is an access port ?

Jon

New Member

Re: Port Security violation still able to ping

Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands. ALthough I think you have found the problem --- is there any other reason it would be "disabled"?

interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
switchport mode access
switchport port-security aging time 6
switchport port-security mac-address sticky
!

Hall of Fame Super Blue

Re: Port Security violation still able to ping

Steve

Jon - You can't configure port security without the port being an access port -- if it is in dynamic mode you get an error with port-security commands

Good point, i forgot about that

Which switch and IOS version ?

Jon

New Member

Re: Port Security violation still able to ping

Thanks Jon --- I needed to also run the basic command to enable port-security:

SA(config-if)#switchport port-security

I was thinking the config commands enabled it. It works fine now, thanks again. Steve

Hall of Fame Super Blue

Re: Port Security violation still able to ping

Steve

No problem. I was just about to ask you to add that to the config but you beat me to it

Jon

New Member

Re: Port Security violation still able to ping

It appears the "sticky" parameter is not adding MAC address to the secure MAC table:

SA#sh port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

515
Views
0
Helpful
6
Replies