02-24-2013 12:49 AM - edited 03-07-2019 11:54 AM
Dear All,
I have network consists of more then 20 cisco 2950/2960/3700 switches. I have configured port security in my switches. initially when i configured on my switches it worked fine....even for copule of months it worked fine. but suddenly it start creating issues and now i am not able to implement port security on switches. the configuration is same but there is no effect now. i am very much tired of this. same switches were fine but now even having same configuration it is not working. please see the configuration:
the version which i have is 12.2(50)SE5
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
81#sh por int fa 0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 1803.73a5.b51e
Security Violation Count : 0
Version 12.1(22)EA4
interface FastEthernet0/2
switchport access vlan 101
switchport mode access
switchport port-security
shutdown
101#sh por int fa 0/1
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 111f.72e4.xxxx:xxx
Security Violation Count : 0
Please see these configuration and help me to sortout this issue.
regards
02-24-2013 07:14 AM
Asu have seen Voilation has been done due to which port has been shutdown. To enable port again go under interface and issue no shut command again.
Protect:
Ignores all traffic on the interface
Restrict:
Ignores all traffic on the interface, but sends SNMP trap.
Shutdown (default):
Shuts the port down and does not allow device to connect.
You can use Restrict rather then port is shutdown if violation is done by anyone.
Also u have not configured mac in port security
switchport port-security maximum 2 (Tow MAC address
switchport port-security mac-address sticky 1111.1111.1111 (Sticky is used if u dont know mac when 1 pc is connected to that port it automatically bind that mac)
.
.
DO RATE ALL HELPFUL POSTS
02-24-2013 09:31 AM
Hello,
On that particular output I do not see any issues, all I see is the port on the down status,
What else do you have that we could use to help you man?
02-24-2013 03:13 PM
Hello,
have you tried
Clear all dyanmic learned addressing
clear port-security dynamic
wr
or
removing your port-sec config and re enabling it.
Int fax/x
no switchport port-security
do wr
switchport port-security
switchport port-security
switchport port-security violation shutdown/restrict/protect
switchport port-security mac-address sticky
applying aging and inactivity timers
switchport port-security aging time xx
switchport port-security aging type inactivity
do wr
dont forget to save you config after each change
res
Paul
Please don't forget to rate this post if it has been helpful.
02-25-2013 12:52 AM
Hello Zargham,
>> same switches were fine but now even having same configuration it is not working.
You are not explaining what is not working now.
About your port security configuration:
>>switchport port-security maximum 1
This command is simply too strict it does not allow to swap the lan cables of two PCs without causing a violation.
And when the violation occurs the port is error disabled and then you need to re-enable it manually.
My guess is that you are complaining of this.
I would suggest to use a different settings that allows for cable swap between PCs
switchport port-security maximum 3
If you have IP phones you need to consider that during boot up the IP phones are members of the data vlan before joining the voice vlan. So IP phone MAC address may count for two for port security purposes
Hope to help
Giuseppe
02-25-2013 01:46 AM
You have configured Port Security violation to Shutdown. Means if anyone remove and inserts a pic with other mac your port will be shutdown and u will not able to communicate.
Can u paste show running of any interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide