Solved

switchport security

Posted on 2011-09-05
18
500 Views
Last Modified: 2012-05-12
I have configured port security on a switch port.
I unplugged the cable then plugged back a cable from another host.
I run the command shown below, and it shows that the port status is Secure-down

What I don't understand I still can ping all other hosts from the host plugged to the port that is shown secure-down.

Any idea?

thanks

Switch2#
Switch2#sh port-security interface fastEthernet 0/3
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0



0
Comment
Question by:jskfan
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
Comment Utility
Are you sure it's enabled?
I see:
Port Security              : Disabled
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 150 total points
Comment Utility
switchport port-security

To enable port security on an interface, use the switchport port-security command. To disable port security and set parameters to their default states, use the no form of this command.

switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]

no switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]
Syntax Description

aging
      

(Optional) Specifies aging for port security.

static
      

(Optional) Enables aging for statically configured secure addresses on this port.

time time
      

(Optional) Specifies the aging time for this port. The valid values are from 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

type absolute
      

(Optional) Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.

type inactivity
      

(Optional) Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

limit rate invalid-source-mac
      

(Optional) Sets the rate limit for bad packets. This rate limit also applies to the port where DHCP snooping security mode is enabled as filtering the IP and MAC address.

N none
      

(Optional) Supplies a rate limit (N) or indicates none (none).

mac-address mac-address
      

(Optional) Specifies a secure MAC address for the interface; a 48-bit MAC address. You can add additional secure MAC addresses up to the maximum value that is configured.

sticky
      

(Optional) Configures the dynamic addresses as sticky on the interface.

vlan access
      

(Optional) Deletes the secure MAC addresses from access VLANs.

vlan voice
      

(Optional) Deletes the secure MAC addresses from voice VLANs.

maximum value
      

(Optional) Sets the maximum number of secure MAC addresses for the interface. Valid values are from 1 to 3072. The default setting is 1.

violation
      

(Optional) Sets the security violation mode and action to be taken if port security is violated.

restrict
      

(Optional) Sets the security violation restrict mode. In this mode, a port security violation restricts data and causes the security violation counter to increment.

shutdown
      

(Optional) Sets the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error disabled.

Defaults

The default settings are as follows:

•Port security is disabled.

•When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1.

•Aging is disabled.

•Aging time is 0 minutes.

•All secure addresses on this port age out immediately after they are removed from the secure address list.
0
 

Author Comment

by:jskfan
Comment Utility
I am not in the Lab room now.
I believe, I entered at the interface level:
Switchport port-security violation shutdown.

0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
Well, just check to see what ports are secure: sh port-security
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 150 total points
Comment Utility
if you use violation shutdown - port will shutdown if you plug in this port device with other mac.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
One of my switches. On port f0/1 is issued: switchport port-security and on port f0/2 I didn't do anything.

Switch08#sh port-security int f0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Switch08#sh port-security int f0/2
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0


So my guess is that you might have enabled this on another port (?)
0
 

Author Comment

by:jskfan
Comment Utility
I believe, I entered at the interface level:

Switchport port-security mac-address sticky
Switchport port-security violation shutdown.
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 150 total points
Comment Utility
you don`t enter how much macs be stored in sticky
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
I think it is best to (when you're in the lab) to first check which ports are secured.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 100 total points
Comment Utility
>I believe, I entered at the interface level: Switchport port-security violation shutdown.

This command only defines what happens when there is a violation. It does not enable port security.

To enable port security, you need to issue the command: switchport port-security
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I rest my case ;)
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Motion granted. :-D
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Thank you your honor :))
0
 

Author Comment

by:jskfan
Comment Utility
I am back to the lab, and readjusted the config, then run show port-security. is this how it is supposed to be configured??

 Switch2#sh run interface fastEthernet 0/3
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/3
 switchport access vlan 33
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 
===================================================
Switch2#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/3              1            1                  1         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 5120



0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 100 total points
Comment Utility
Looks good to me.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
Looking good!
As far as I can see from my phone............
0
 

Author Comment

by:jskfan
Comment Utility
Thanks you for your help Guys!!
0
 

Author Closing Comment

by:jskfan
Comment Utility
Excellent!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now