switchport security

I have configured port security on a switch port.
I unplugged the cable then plugged back a cable from another host.
I run the command shown below, and it shows that the port status is Secure-down

What I don't understand I still can ping all other hosts from the host plugged to the port that is shown secure-down.

Any idea?

thanks

Switch2#
Switch2#sh port-security interface fastEthernet 0/3
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0



jskfanAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
Are you sure it's enabled?
I see:
Port Security              : Disabled
0
 
pilson66Commented:
switchport port-security

To enable port security on an interface, use the switchport port-security command. To disable port security and set parameters to their default states, use the no form of this command.

switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]

no switchport port-security [aging {static | time time | type {absolute | inactivity}} |
limit rate invalid-source-mac [N | none] | mac-address mac-address [vlan {access | voice} | mac-address sticky [mac-address] [vlan access | voice] | maximum value [vlan {access | voice} | violation {restrict | shutdown}]
Syntax Description

aging
      

(Optional) Specifies aging for port security.

static
      

(Optional) Enables aging for statically configured secure addresses on this port.

time time
      

(Optional) Specifies the aging time for this port. The valid values are from 0 to 1440 minutes. If the time is 0, aging is disabled for this port.

type absolute
      

(Optional) Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.

type inactivity
      

(Optional) Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

limit rate invalid-source-mac
      

(Optional) Sets the rate limit for bad packets. This rate limit also applies to the port where DHCP snooping security mode is enabled as filtering the IP and MAC address.

N none
      

(Optional) Supplies a rate limit (N) or indicates none (none).

mac-address mac-address
      

(Optional) Specifies a secure MAC address for the interface; a 48-bit MAC address. You can add additional secure MAC addresses up to the maximum value that is configured.

sticky
      

(Optional) Configures the dynamic addresses as sticky on the interface.

vlan access
      

(Optional) Deletes the secure MAC addresses from access VLANs.

vlan voice
      

(Optional) Deletes the secure MAC addresses from voice VLANs.

maximum value
      

(Optional) Sets the maximum number of secure MAC addresses for the interface. Valid values are from 1 to 3072. The default setting is 1.

violation
      

(Optional) Sets the security violation mode and action to be taken if port security is violated.

restrict
      

(Optional) Sets the security violation restrict mode. In this mode, a port security violation restricts data and causes the security violation counter to increment.

shutdown
      

(Optional) Sets the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error disabled.

Defaults

The default settings are as follows:

•Port security is disabled.

•When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1.

•Aging is disabled.

•Aging time is 0 minutes.

•All secure addresses on this port age out immediately after they are removed from the secure address list.
0
 
jskfanAuthor Commented:
I am not in the Lab room now.
I believe, I entered at the interface level:
Switchport port-security violation shutdown.

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Ernie BeekExpertCommented:
Well, just check to see what ports are secure: sh port-security
0
 
pilson66Commented:
if you use violation shutdown - port will shutdown if you plug in this port device with other mac.
0
 
Ernie BeekExpertCommented:
One of my switches. On port f0/1 is issued: switchport port-security and on port f0/2 I didn't do anything.

Switch08#sh port-security int f0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Switch08#sh port-security int f0/2
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0


So my guess is that you might have enabled this on another port (?)
0
 
jskfanAuthor Commented:
I believe, I entered at the interface level:

Switchport port-security mac-address sticky
Switchport port-security violation shutdown.
0
 
pilson66Commented:
you don`t enter how much macs be stored in sticky
0
 
Ernie BeekExpertCommented:
I think it is best to (when you're in the lab) to first check which ports are secured.
0
 
Don JohnstonInstructorCommented:
>I believe, I entered at the interface level: Switchport port-security violation shutdown.

This command only defines what happens when there is a violation. It does not enable port security.

To enable port security, you need to issue the command: switchport port-security
0
 
Ernie BeekExpertCommented:
I rest my case ;)
0
 
Don JohnstonInstructorCommented:
Motion granted. :-D
0
 
Ernie BeekExpertCommented:
Thank you your honor :))
0
 
jskfanAuthor Commented:
I am back to the lab, and readjusted the config, then run show port-security. is this how it is supposed to be configured??

 Switch2#sh run interface fastEthernet 0/3
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/3
 switchport access vlan 33
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 
===================================================
Switch2#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/3              1            1                  1         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 5120



0
 
Don JohnstonInstructorCommented:
Looks good to me.
0
 
Ernie BeekExpertCommented:
Looking good!
As far as I can see from my phone............
0
 
jskfanAuthor Commented:
Thanks you for your help Guys!!
0
 
jskfanAuthor Commented:
Excellent!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.