Port Security is Not working

Zargham Haider · ‎02-24-2013

Dear All,

I have network consists of more then 20 cisco 2950/2960/3700 switches. I have configured port security in my switches. initially when i configured on my switches it worked fine....even for copule of months it worked fine. but suddenly it start creating issues and now i am not able to implement port security on switches. the configuration is same but there is no effect now. i am very much tired of this. same switches were fine but now even having same configuration it is not working. please see the configuration:

the version which i have is 12.2(50)SE5

switchport port-security

switchport port-security maximum 1

switchport port-security violation shutdown

81#sh por int fa 0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address : 1803.73a5.b51e

Security Violation Count : 0

Version 12.1(22)EA4

interface FastEthernet0/2
switchport access vlan 101
switchport mode access
switchport port-security
shutdown

101#sh por int fa 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 111f.72e4.xxxx:xxx
Security Violation Count   : 0

Please see these configuration and help me to sortout this issue.

regards

jawad-mukhtar · ‎02-24-2013

Asu have seen Voilation has been done due to which port has been shutdown. To enable port again go under interface and issue no shut command again.

Protect:

Ignores all traffic on the interface

Restrict:

Ignores all traffic on the interface, but sends SNMP trap.

Shutdown (default):

Shuts the port down and does not allow device to connect.

You can use Restrict rather then port is shutdown if violation is done by anyone.

Also u have not configured mac in port security

switchport port-security maximum 2 (Tow MAC address
switchport port-security mac-address sticky 1111.1111.1111 (Sticky is used if u dont know mac when 1 pc is connected to that port it automatically bind that mac)
.

.

DO RATE ALL HELPFUL POSTS

Jawad

Julio Carvajal · ‎02-24-2013

Hello,

On that particular output I do not see any issues, all I see is the port on the down status,

What else do you have that we could use to help you man?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

paul driver · ‎02-24-2013

Hello,

have you tried

Clear all dyanmic learned addressing

clear port-security dynamic

wr

or

removing your port-sec config and re enabling it.

Int fax/x

no switchport port-security

do wr

switchport port-security

switchport port-security violation shutdown/restrict/protect

switchport port-security mac-address sticky

applying aging and inactivity timers

switchport port-security aging time xx

switchport port-security aging type inactivity

do wr

dont forget to save you config after each change

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giuseppe Larosa · ‎02-25-2013

Hello Zargham,

>> same switches were fine but now even having same configuration it is not working.

You are not explaining what is not working now.

About your port security configuration:

>>switchport port-security maximum 1

This command is simply too strict it does not allow to swap the lan cables of two PCs without causing a violation.

And when the violation occurs the port is error disabled and then you need to re-enable it manually.

My guess is that you are complaining of this.

I would suggest to use a different settings that allows for cable swap between PCs

switchport port-security maximum 3

If you have IP phones you need to consider that during boot up the IP phones are members of the data vlan before joining the voice vlan. So IP phone MAC address may count for two for port security purposes

Hope to help

Giuseppe

jawad-mukhtar · ‎02-25-2013

You have configured Port Security violation to Shutdown. Means if anyone remove and inserts a pic with other mac your port will be shutdown and u will not able to communicate.

Can u paste show running of any interface

Jawad