cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
385
Views
2
Helpful
9
Replies

Port Security Violation

Sr7nyx
Level 1
Level 1

give me a simple topology and simple layer2 switch configuration to trigger this error message related to port security violation in cisco packet tracer

2 Accepted Solutions

Accepted Solutions

config two post with port security with following :-
1- Max mac is One 
2- port security sticky  

then connect PC to one port then move it connect to other port 
this will violate the security and generate error 

MHM

View solution in original post

M02@rt37
VIP
VIP

Hello @Sr7nyx 

To make it easy ; in order to trigger a port security violation in packet tracer, set up a simple topology with two PC connected to a switch. Assign IP addresses to the PCs and configure the switch by enabling port security on the port connected to the first PC (Fa0/1). Limit the port to learn only one MAC address and set the violation mode to `shutdown`. Connect PC1 to Fa0/1, allowing the switch to learn its MAC address. Then, disconnect PC1 and connect PC2 to the same port, which will trigger the violation as the switch detects a different MAC address on Fa0/1.

When PC2 connects to Fa0/1, the switch will recognize a port security violation because it is configured to only accept the MAC address of PC1. Consequently, the switch will place Fa0/1 into an `err-disabled` state, effectively shutting down the port to prevent unauthorized access. This action ensures network security by restricting port access based on predefined rules. You can verify the violation by using commands like `show port-security interface fa0/1` and `show interfaces status err-disabled`, which will display the port security status and identify the ports that have been disabled due to security violations.

---

Example:

** Configure interface Fa0/1 **
Switch(config)# interface Fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# exit

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

check below example to start with : (may be all device not support that security feature, check the device support in PT to test it).

https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/port_sec.html

https://www.youtube.com/watch?v=Rnq2LM7YY3Y

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

config two post with port security with following :-
1- Max mac is One 
2- port security sticky  

then connect PC to one port then move it connect to other port 
this will violate the security and generate error 

MHM

M02@rt37
VIP
VIP

Hello @Sr7nyx 

To make it easy ; in order to trigger a port security violation in packet tracer, set up a simple topology with two PC connected to a switch. Assign IP addresses to the PCs and configure the switch by enabling port security on the port connected to the first PC (Fa0/1). Limit the port to learn only one MAC address and set the violation mode to `shutdown`. Connect PC1 to Fa0/1, allowing the switch to learn its MAC address. Then, disconnect PC1 and connect PC2 to the same port, which will trigger the violation as the switch detects a different MAC address on Fa0/1.

When PC2 connects to Fa0/1, the switch will recognize a port security violation because it is configured to only accept the MAC address of PC1. Consequently, the switch will place Fa0/1 into an `err-disabled` state, effectively shutting down the port to prevent unauthorized access. This action ensures network security by restricting port access based on predefined rules. You can verify the violation by using commands like `show port-security interface fa0/1` and `show interfaces status err-disabled`, which will display the port security status and identify the ports that have been disabled due to security violations.

---

Example:

** Configure interface Fa0/1 **
Switch(config)# interface Fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# exit

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

i did exactly as you told but still i dont getting the error this is my switch configuration : 

Switch>enable

Switch#

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#interface FastEthernet0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#end

Switch#

Ad I mention you need two port config with port secuirty 

Connect one PC to first port then reconnect it to second port 

You sure get leg error

MHM

still aint getting it , this is my both port security configurations : 

Switch#show port-security interface fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0001.6457.EDD7:1

Security Violation Count : 0

 

Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00E0.8F57.A26B:1

Security Violation Count : 0

 

You use two different PC to test 

Use same PC 00E0.8F57.A26B:1  connect to port f0/1

MHM

im dont getting the error message but it disables the interface when i tried to ping each other so technically it works but the error message isnt there !! i need the error message to be in my report

If this is packet tracer use new ver. (Update it)

It can bug 

MHM

Review Cisco Networking for a $25 gift card