09-13-2005 10:16 PM - edited 03-03-2019 12:02 AM
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.0000.1111
That is the generic setup we do for our switches. This is my first time really using port-security, and we're getting users calling in when they decide to switch ports on us, so I would say it's working effectively.
My question is: Is there a way to view or tftp the log for a particular switch that has a port in err-disabled and have it tell me what unique MAC address *tried* to connect to the port?
Rephrased: How can I see the non-sticky MAC address that put the port in "err-disabled."
Sorry if my wording is hard to understand. It makes sense in my head 8)
Solved! Go to Solution.
09-13-2005 11:09 PM
Hi,
Did you check the switch logs. What does " show log " gives you. I think the switch logs the events in its buffer.
You cna have logging enable on a server to and you need a syslog server for that.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swlog.htm
HTH,
-amit singh
09-14-2005 03:42 AM
I verified this on my Cat6500, To me it clearly throws up a syslog message to say which Mac address did the violation. I am not sure which image you are using, Please use latest image and verify.
BOX1(config-if)#
02:44:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/16, changed state to down
02:44:33: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Gi4/16, putting Gi4/16 in err-disable state
02:44:33: %LINK-3-UPDOWN: Interface GigabitEthernet4/16, changed state to down
02:44:33: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0058 on port GigabitEthernet4/16.
02:44:32: %PM-SP-STDBY-4-ERR_DISABLE: psecure-violation error detected on Gi4/16, putting Gi4/16 in err-disable state
BOX1(config-if)#
Thx
Shesh
09-13-2005 11:09 PM
Hi,
Did you check the switch logs. What does " show log " gives you. I think the switch logs the events in its buffer.
You cna have logging enable on a server to and you need a syslog server for that.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swlog.htm
HTH,
-amit singh
09-14-2005 03:29 AM
Can I ask - I'm just about to impliment port security on our switches.
If you leave off the last command:
>> switchport port-security mac-address sticky 0000.0000.1111
Will the switch automatically use the current MAC address using the port as the secured (authorised) MAC?
Can you do the above commands on all switch-ports at once (ie, with a single command)?
Lastly - if the switch is rebooted or looses power, will port security (and list of secure MACs) remain or will they be wiped?
Cheers!
09-14-2005 03:38 AM
Be warned that I am no port-security expert, but this is with my experience: 8)
You do not need the last sticky command, I was just including this to show that the sticky option did indeed nail a MAC addy to the port.
When you issue the sticky command, it will take whatever Dynamically learned (currently attached) MAC address that is currently connected and turn that into a "sticky" (or static) address.
Yes, as far as I know, this will "stick" even after a reload.
And as far as all the ports, be extra careful you don't accidentally port-secure a trunked interface.
But yes, this can be done to a range.
config t
int range fa0/1 -24
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
end
sh port-security
(i realize the 'maximum 1' is redundant, but I like to see it in the 'sh run' output)
09-14-2005 03:44 AM
Thanks for your prompt response. We don't run any trunking or VLANs on our network so that's not a problem.
Thanks again.
09-14-2005 03:42 AM
I verified this on my Cat6500, To me it clearly throws up a syslog message to say which Mac address did the violation. I am not sure which image you are using, Please use latest image and verify.
BOX1(config-if)#
02:44:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet4/16, changed state to down
02:44:33: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Gi4/16, putting Gi4/16 in err-disable state
02:44:33: %LINK-3-UPDOWN: Interface GigabitEthernet4/16, changed state to down
02:44:33: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0058 on port GigabitEthernet4/16.
02:44:32: %PM-SP-STDBY-4-ERR_DISABLE: psecure-violation error detected on Gi4/16, putting Gi4/16 in err-disable state
BOX1(config-if)#
Thx
Shesh
09-14-2005 03:53 AM
Hmm, well that would solve my problem then.
I guess the best thing for me to do is setup a syslog server and have the switches log to them.
Which security level would pertain to those err-disable messages? Warnings (4) or Notifications (5). I would like to keep the log traffic at a minimum, so I would guess one of these levels would suffice for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: