Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
2
Helpful
9
Replies

Port Security Violation

Go to solution
Sr7nyx
Level 1
Level 1

‎06-15-2024 12:55 AM - last edited on ‎06-15-2024 01:39 AM by Cisco Employee

give me a simple topology and simple layer2 switch configuration to trigger this error message related to port security violation in cisco packet tracer

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎06-15-2024 02:11 AM

config two post with port security with following :-
1- Max mac is One 
2- port security sticky  

then connect PC to one port then move it connect to other port 
this will violate the security and generate error 

MHM

View solution in original post

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎06-15-2024 02:49 AM

Hello @Sr7nyx 

To make it easy ; in order to trigger a port security violation in packet tracer, set up a simple topology with two PC connected to a switch. Assign IP addresses to the PCs and configure the switch by enabling port security on the port connected to the first PC (Fa0/1). Limit the port to learn only one MAC address and set the violation mode to `shutdown`. Connect PC1 to Fa0/1, allowing the switch to learn its MAC address. Then, disconnect PC1 and connect PC2 to the same port, which will trigger the violation as the switch detects a different MAC address on Fa0/1.

When PC2 connects to Fa0/1, the switch will recognize a port security violation because it is configured to only accept the MAC address of PC1. Consequently, the switch will place Fa0/1 into an `err-disabled` state, effectively shutting down the port to prevent unauthorized access. This action ensures network security by restricting port access based on predefined rules. You can verify the violation by using commands like `show port-security interface fa0/1` and `show interfaces status err-disabled`, which will display the port security status and identify the ports that have been disabled due to security violations.

---

Example:

** Configure interface Fa0/1 **
Switch(config)# interface Fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# exit

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-15-2024 12:58 AM

check below example to start with : (may be all device not support that security feature, check the device support in PT to test it).

https://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/port_sec.html

https://www.youtube.com/watch?v=Rnq2LM7YY3Y

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
MHM Cisco World
VIP
VIP

‎06-15-2024 02:11 AM

config two post with port security with following :-
1- Max mac is One 
2- port security sticky  

then connect PC to one port then move it connect to other port 
this will violate the security and generate error 

MHM

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎06-15-2024 02:49 AM

Hello @Sr7nyx 

To make it easy ; in order to trigger a port security violation in packet tracer, set up a simple topology with two PC connected to a switch. Assign IP addresses to the PCs and configure the switch by enabling port security on the port connected to the first PC (Fa0/1). Limit the port to learn only one MAC address and set the violation mode to `shutdown`. Connect PC1 to Fa0/1, allowing the switch to learn its MAC address. Then, disconnect PC1 and connect PC2 to the same port, which will trigger the violation as the switch detects a different MAC address on Fa0/1.

When PC2 connects to Fa0/1, the switch will recognize a port security violation because it is configured to only accept the MAC address of PC1. Consequently, the switch will place Fa0/1 into an `err-disabled` state, effectively shutting down the port to prevent unauthorized access. This action ensures network security by restricting port access based on predefined rules. You can verify the violation by using commands like `show port-security interface fa0/1` and `show interfaces status err-disabled`, which will display the port security status and identify the ports that have been disabled due to security violations.

---

Example:

** Configure interface Fa0/1 **
Switch(config)# interface Fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# exit

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Sr7nyx
Level 1
Level 1
In response to M02@rt37

‎06-15-2024 06:34 AM

i did exactly as you told but still i dont getting the error this is my switch configuration : 

Switch>enable

Switch#

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#interface FastEthernet0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#end

Switch#

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Sr7nyx

‎06-15-2024 06:43 AM

Ad I mention you need two port config with port secuirty 

Connect one PC to first port then reconnect it to second port 

You sure get leg error

MHM

0 Helpful

Go to solution
Sr7nyx
Level 1
Level 1
In response to MHM Cisco World

‎06-15-2024 06:53 AM

still aint getting it , this is my both port security configurations : 

Switch#show port-security interface fa0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0001.6457.EDD7:1

Security Violation Count : 0

 

Switch#show port-security interface fa0/2

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 00E0.8F57.A26B:1

Security Violation Count : 0

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Sr7nyx

‎06-15-2024 06:56 AM

You use two different PC to test 

Use same PC 00E0.8F57.A26B:1  connect to port f0/1

MHM

0 Helpful

Go to solution
Sr7nyx
Level 1
Level 1
In response to Sr7nyx

‎06-15-2024 06:56 AM

im dont getting the error message but it disables the interface when i tried to ping each other so technically it works but the error message isnt there !! i need the error message to be in my report

Go to solution
MHM Cisco World
VIP
VIP
In response to Sr7nyx

‎06-15-2024 07:04 AM

If this is packet tracer use new ver. (Update it)

It can bug 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card