Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SWITCHPORT SECURITY ISSUE

My company is have 3550 switch with IOS 12.2 SEB Version.. no other configuraiton are there... I want enable switch port security on 3 port?

The follwing command is submited on port

int fas0/18

switchport mode access

switchport port-security

switchport port-security maximum 1

exit

This command is not working

it is permitting more than one mac-address

what could be the problem.. Any one can help me in this regard.. I am just completed my CCNA?

3 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: SWITCHPORT SECURITY ISSUE

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

Silver

Re: SWITCHPORT SECURITY ISSUE

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

New Member

Re: SWITCHPORT SECURITY ISSUE

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

7 REPLIES
New Member

Re: SWITCHPORT SECURITY ISSUE

Try to configure a optional violation-command:

switchport port-security violation shutdown

What about the "show port-security interface fa0/3" command output?

New Member

Re: SWITCHPORT SECURITY ISSUE

That same switchport security-violation shutdown

command I tried that option also.. still if disconnect and hook the other machine it is still reading.. and port not shut down.

show command indicate that port is secure.

by permanant

New Member

Re: SWITCHPORT SECURITY ISSUE

I'm not sure if I understood you right.

You have 2 PCs connected to Fa0/3 AT THE SAME TIME (via Hub/Switch), right?

And port-security doesn't shutdown Fa0/3?

Strange...

Could you post the output of the show-command?

New Member

Re: SWITCHPORT SECURITY ISSUE

I gave your configuration a try on a Catalyst 3550 and it worked fine:

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00d0.59c0.94bb:1

Security Violation Count : 0

00:07:05: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

00:07:05: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0030.8048.0d01 on port FastEthernet0/3.

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

00:07:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

00:07:07: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Switch#show port-security interface fa0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0030.8048.0d01:1

Security Violation Count : 1

Did you use a second switch? Without spanning-tree portfast it might take a minute until the second MAC-address is seen by the first switch.

Silver

Re: SWITCHPORT SECURITY ISSUE

Well the case is that you are using one pc at one particular time so your command switch port-securtiy maximum 1 will still allow other PC's to get connected if they are connected afresh to that port.

But if you want only a particular PC to connect to a port use the command Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Where the Mac address is that of the only PC you want to connect.

HTH

Hoogen

Do rate if this helps :)

New Member

Re: SWITCHPORT SECURITY ISSUE

If I recall correctly, when an interface goes down, the switch clears all MAC addresses learned on that interface. In your case, as soon as you unplug the first PC, the dynamically learned MAC address is cleared from the switch table. You plug in the other one, and the new MAC is learned without triggering the port security.

If you only want a particular PC to connect to that port, use the mac-address sticky command to configure a static MAC on that interface.

New Member

Re: SWITCHPORT SECURITY ISSUE

Hi

According to your configuration, it will only allow 1 mac-address at ONE time. To explain, if you connect the port to hub and connect multiple pc, port will be shutdown cos it violet the security.

If you want to allow only particular mac-address to be connected at ANY(not one) time, you need to use sticky option.

Hope that clear everyone doubt. Please rate if helped!

Cheers

Joe

305
Views
9
Helpful
7
Replies
CreatePlease login to create content