?
Solved

switchport security

Posted on 2011-09-05
18
Medium Priority
?
524 Views
Last Modified: 2012-05-12
I have configured port security on a switch port.
I unplugged the cable then plugged back a cable from another host.
I run the command shown below, and it shows that the port status is Secure-down

What I don't understand I still can ping all other hosts from the host plugged to the port that is shown secure-down.

Any idea?

thanks

Switch2#
Switch2#sh port-security interface fastEthernet 0/3
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0



0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1000 total points
ID: 36483142
Are you sure it's enabled?
I see:
Port Security              : Disabled
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 600 total points
ID: 36483144
switchport port-security

To enable port security on an interface, use the switchport port-security command. To disable port security and set parameters to their default states, use the no form of this command.

switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]

no switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]
Syntax Description

aging
      

(Optional) Specifies aging for port security.

static
      

(Optional) Enables aging for statically configured secure addresses on this port.

time time
      

(Optional) Specifies the aging time for this port. The valid values are from 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

type absolute
      

(Optional) Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.

type inactivity
      

(Optional) Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

limit rate invalid-source-mac
      

(Optional) Sets the rate limit for bad packets. This rate limit also applies to the port where DHCP snooping security mode is enabled as filtering the IP and MAC address.

N none
      

(Optional) Supplies a rate limit (N) or indicates none (none).

mac-address mac-address
      

(Optional) Specifies a secure MAC address for the interface; a 48-bit MAC address. You can add additional secure MAC addresses up to the maximum value that is configured.

sticky
      

(Optional) Configures the dynamic addresses as sticky on the interface.

vlan access
      

(Optional) Deletes the secure MAC addresses from access VLANs.

vlan voice
      

(Optional) Deletes the secure MAC addresses from voice VLANs.

maximum value
      

(Optional) Sets the maximum number of secure MAC addresses for the interface. Valid values are from 1 to 3072. The default setting is 1.

violation
      

(Optional) Sets the security violation mode and action to be taken if port security is violated.

restrict
      

(Optional) Sets the security violation restrict mode. In this mode, a port security violation restricts data and causes the security violation counter to increment.

shutdown
      

(Optional) Sets the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error disabled.

Defaults

The default settings are as follows:

•Port security is disabled.

•When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1.

•Aging is disabled.

•Aging time is 0 minutes.

•All secure addresses on this port age out immediately after they are removed from the secure address list.
0
 

Author Comment

by:jskfan
ID: 36483192
I am not in the Lab room now.
I believe, I entered at the interface level:
Switchport port-security violation shutdown.

0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36483207
Well, just check to see what ports are secure: sh port-security
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 600 total points
ID: 36483209
if you use violation shutdown - port will shutdown if you plug in this port device with other mac.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36483220
One of my switches. On port f0/1 is issued: switchport port-security and on port f0/2 I didn't do anything.

Switch08#sh port-security int f0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Switch08#sh port-security int f0/2
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0


So my guess is that you might have enabled this on another port (?)
0
 

Author Comment

by:jskfan
ID: 36483347
I believe, I entered at the interface level:

Switchport port-security mac-address sticky
Switchport port-security violation shutdown.
0
 
LVL 8

Assisted Solution

by:pilson66
pilson66 earned 600 total points
ID: 36483352
you don`t enter how much macs be stored in sticky
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36483457
I think it is best to (when you're in the lab) to first check which ports are secured.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 36484129
>I believe, I entered at the interface level: Switchport port-security violation shutdown.

This command only defines what happens when there is a violation. It does not enable port security.

To enable port security, you need to issue the command: switchport port-security
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36484135
I rest my case ;)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 36484621
Motion granted. :-D
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36484664
Thank you your honor :))
0
 

Author Comment

by:jskfan
ID: 36484739
I am back to the lab, and readjusted the config, then run show port-security. is this how it is supposed to be configured??

 Switch2#sh run interface fastEthernet 0/3
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/3
 switchport access vlan 33
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 
===================================================
Switch2#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/3              1            1                  1         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 5120



0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 400 total points
ID: 36484747
Looks good to me.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 1000 total points
ID: 36484754
Looking good!
As far as I can see from my phone............
0
 

Author Comment

by:jskfan
ID: 36484764
Thanks you for your help Guys!!
0
 

Author Closing Comment

by:jskfan
ID: 36484774
Excellent!!
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question