Port security not enabling/ sticky/static

ok i tried both commands. port security is not enabling (shows disabled in output) its cisco ip phone connected to port.
static and sticky
H(config-if)#$port-security mac-address 001E.13AF.893C
H(config-if)#no shut
H(config-if)#end
H#show por
H#show port-security in
H#show port-security interface g2/0/38
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

Did you enable the port by adding :
switcport port-security
what is the output of "sh run int gi2/0/38"
HTH

Similar Messages

  • Can we do customization using db based MDS where ADF security not enabled?

    JDeveloper 11.1.1.6 : ADF BC + ADF Faces
    Requirement : I want to customize the application across the user session. In this app I have NOT used ADF security. There is siteminder security setup on the server which authenticates the application. The logged in userid/username is available in the request header.
    Now my question is can i customize this app using db based MDS?
    Any help will be appreciated.
    ~Abhijit

    Abhijit,
    My first instinct was to say "of course you must enable ADF Security" and post a link to the docs. However, the docs are silent on this.
    The best quote that I can give you is from [url http://docs.oracle.com/cd/E18941_01/tutorials/jdtut_11r2_18/jdtut_11r2_18.html]here, which says (in step 12):
    Before you can persist user customizations across sessions using MDS as the repository, you must configure ADF Security and create users for the application.John

  • After enabling port-security host is not reachable

    Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
    interface fa 0/20
    switchport mode access
    switchport access vlan 20
    swicthport port-security
    switchport port-security maximum 2
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    switchport port-security mac-adress sticky
    1

    hello
    Possiblely to restrictive for that....can you post
    sh port-security int fa0/20
    res
    Paul

  • Port Security Sticky Addresses

    Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
    switchport mode access
    switchport port-security
    switchport port-security aging time 1
    switchport port-security aging type inactivity
    switchport port-security mac-address sticky
    spanning-tree portfast
    I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
    Josh

    It is not possible to age out sticky entries.  With sticky entries, they are added to the running config.  So the only way to remove it is through editing the running config....  If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...

  • CAM aging time VS Port-security aging time

    Hi All
    Please advise on the following:
    - Without port-security configured, MACs per interface are learnt as "Dynamic" entries and the global CAM aging timer applies (300 seconds) unless tweaked manually.
    - With switchport port-security enabled (without port-security mac-address sticky, which holds onto MACs infinitely) I see MACs being learnt as "Secure-Dynamic" in a show port-security interface gix/x output and as "Static" in the output of show mac address-table interface gix.x .
    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too? as I see their is also a option to configure port-security mac-address aging time / type, does this overrule / take precedence over the default CAM aging timer?
    Please assist, its not documented anywhere and its driving me a bit nuts!
    Thanks folks

    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too?
    Any aging time you configure with port security will take precedence over the default aging time.
    See this thread for details -
    https://supportforums.cisco.com/discussion/11054341/switchport-port-security-commands-help
    Jon

  • Implementing port security

    i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
    What are the recommended steps? All are connected with users and all ports are already in use.
    - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
    - It's tedious to go switch by switch, port by port
    - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

    The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
    With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
    When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
    If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
    It sounds like you may have a hard time, since they don't seem to really care about security at this place.
    Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

  • Scope of port security

    Hi,
    I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
    Port one had this equipment already in situe and we wanted to add another laptop to the domain,
    We connected a 2nd laptop to port one and successfully joined the domain.
    We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
    We found that for the laptop to work on port 2 we had to flush port 1.
    My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
    Cheers
    Dave

    Hi David Imrie
    You have to check the configuration of your switch interface, probably  a switch's  port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the  “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x”  command to be assigned statically.
    You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
    IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
    For example if the maximum is 2,  change to 3
    Switchx (config-if) # switchport port-security maximum 2.
    Switchx (config-if) # no switchport port-security maximum 2.
    Switchx (config-if) # switchport port-security maximum 3.
    If these solutions do not fix your problem, send me your switch configuration or
    If this answer was satisfactory for you, please mark the question as Answered.
    Thank you
    Greetings, Johnnatan Rodriguez Miranda.

  • Port Security based on Device Type

    Hi all:
    We need to know whether there is any feature or software that allows to block switch ports for type of devices.
    For instance, we have some switches for IP phones and we do not want to have PCs connected to those ports.
    We know that it can be done using MACs, but, as phones can be moved easily, it implies constant changes on port security.
    Thanks
    Regards

    Apologies if I have not understood the original question, however, can you use port security (max MAC / sticky MAC) to ensure only devices that are currently connected are successful, other violations will result in the port being shutdown.
    You may want to investigate some 802.1x device authentication
    http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
    HTH
    Steve

  • Port-security question

    Hi,
    Can someone explain what psecure-violation is? What causes the following err message to appear and the port disabled?
    TIA.
    PF
    %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa4/7, putting Fa4/7 in err-disable state

    Hello,
    this is from CCO (see also the link below):
    Security Violations
    It is a security violation when one of these situations occurs:
    --> The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
    --> An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
    The default mode when port security is enabled on a port is to put the port in err-disable state, should one of the above occur.
    Understanding Port Security
    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225se/3550scg/swtrafc.htm#wp1092001
    HTH,
    GP

  • Port security detecting two MACs on 1 machine.

    I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
    Version 12.1(19)EA1
    switchport mode access
    switchport port-security
    switchport port-security maximum 1
    switchport port-security violation shutdown
    switchport port-security mac-address sticky
    I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
    Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
    Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
    Anybody ran into this before?
    Thanks.
    Brett

    After a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
    interface FastEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security violation restrict
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 00e0.988a.7ee6
    no ip address
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
    (Count) (Count) (Count)
    Fa0/1 1 1 3 Restrict
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 5463.0007.eb9e on port Fa0/1.
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
    Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
    Thanks for the response Thomas.

  • Need a hint for home office / 871 does not support port-security - FPM ?

    Hi,
    i want to realize the following setup:
    - Central Site 871 with Internet Connection and static IP
    - Home office 871 with Internet Connection and static IP. On that home office router, there should be 2 Vlans: 1 for the office work and one for the user's private PC. All Traffic from the "office" Vlan is being put into a VPN to the central site. All Traffic on the other interface is being natted and goes straight to the internet.
    To minimize security issues, i tried to configure port-security, so that the user cannot connect with his private PC to the office LAN ports and vice versa. Unfortunately, port-security seems not to be supported on the 871 (advanced ip services image).
    Now i looked for an alternative...and came over to FPM (flexible packet matching).
    If i understood right, you can classify packets for example by their source MAC address and if this field matches a specific value (the mac of the work pc), packets can be dropped by a policy.
    Of course i cannot avoid that the user connects the work pc together with his private pc (this is then related to the OS Security to keep out viruses, worms, trojans, etc). But i could/want to restrict the internet access with the work pc through "normal" Internet access - the users should not be able to do that (must use the company's proxy).
    I did the follwing config:
    class-map type access-control match-any c2
    match start l2-start offset 48 size 6 regex "0xabcd1234fedc"
    match field ETHER source-mac regex "abcd1234fedc"
    policy-map type access-control p2
    class c2
    drop
    interface Vlan1
    ip address 192.168.20.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    service-policy type access-control input p2
    service-policy type access-control output p2
    As this feature is quite new, i'm not familiar with it's syntax.
    I also tried to use "string" instead of regexp, but i'm still able to connect the office pc to the private Lan and i am able to access the "Internet" (currently it's only setup in a lab).
    As i understood so far, the offset is the value in bits, and size is in bytes. is that correct?
    Has anyone yet some experience with FPM or maybe any hint for me how to realize the requested setup with the 871 routers?
    bets regards,
    Andy

    For the FPM feature to work you will need PHDF files for the protocols you want to scan for to be loaded on your routers. The files can be downloaded from cisco's website. In your case you will have to download ether.phdf file.

  • SF300 LAG port doesn't work, LACP will not enable.

    I'm trying to configure something that seems pretty trivial.
    I need 2-3 ports to participate in a LAG port.  First off, I  get the "Port X belongs to a vlan" if the participating port is  something other than access vlan 1.  This is totally useless.  I need these ports to be dot1Q tunnels.  This happens even If i set the default vlan to 300, (300 is my native or PVID).  Another piece that doesn't seem to work is that LACP will not enable, even if I throw in the towel and make my ports access vlan 1.  What gives?  I've tried this on the only firmware available which has no patches avail yet.  I've tried this on 2x 24ports, and on 2x 48 ports..  all the same issue.

    Hi I just gave it a try  you can see my screen captures below.
    If you are having trouble, have a word to the good folk at the SBSC if the switch is still under phone support coverage.
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Maybe play it safe and delete your settings and start again... Here are some screen shots from my attempt.
    I have to admit I enabled LAG and LACP before I created vlan 100.
    you can see i have the same software as you.
    add the ports and enable LACP at the same time.
    ports 47 and 48 are still excluded from my Tagged Vlan
    Now I selected port drop down for VLAN100 and selected LAG.
    I then  received and then modified the following screen capture.
    Note I manually added LAG interface 1 as a tagged member of VLAN 100.
    Why Lag interface 1, because I created LAG 1 previously, as seen in a previous screen shot above.
    regards Dave

  • Packet drops on 2960 with port-security enabled

    Hello,
    We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
    switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
    There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
    Port Security              : EnabledPort Status                : Secure-upViolation Mode             : RestrictAging Time                 : 1 minsAging Type                 : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses      : 10Total MAC Addresses        : 0Configured MAC Addresses   : 0Sticky MAC Addresses       : 0Last Source Address:Vlan   : 0011.aabb.ccdd:11Security Violation Count   : 0
    When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
    I have found similar reports and bugs for the 2950 and 3750:
    https://supportforums.cisco.com/thread/163910
    https://supportforums.cisco.com/message/89560
    https://tools.cisco.com/bugsearch/bug/CSCeg63177
    https://tools.cisco.com/bugsearch/bug/CSCec21652
    Is there anything we can do to fix this?
    Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
    Thank you.

    Hi Alioune,
    This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
    When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
    On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
    The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
    Regards

  • I am not able to login the facbook. It is displaying the message ;Cookies are not enabled on your browser. Please adjust this in your security preferences before continuing.

    I am not able to log-in the facebook.
    It is displaying the message that "Cookies are not enabled on your browser. Please adjust this in your security preferences before continuing."

    [[Enabling and disabling cookies]] should work... if it doesn't, you may try
    # [[Websites say cookies are blocked]] and
    # if 1 doesn't help, then possibly see [[preferences are not saved]] if that's the case.

  • Hi! When I try to log on to Facebook a page comes up saying "Cookies are not enabled" I have checked my security settings and it says they are. help!

    When trying to log on to Facebook the page sayes "Cookies are not enabled"
    I have checked my security settings and the boxes for
    Accept cookies from sites
    accept 3rd party cookies
    are both ticked.
    Help!

    For other things to try, see the [[Websites say cookies are blocked]] article.

Maybe you are looking for

  • Is there a way to create a glossary in Pages?

    Hi! I'm currently writing a paper, with technical terms, which I'd like to put inside a nice and neat glossary. But I can't find a way to do so. Anyone got any idea? Thanks! BTW, I'm using the brand new version of Pages, on Mac OS.

  • Multiple choices in droplist?

    For as much as I know, a droplist cannot have multiple selected items when using normal javascript in Designer 7.1. Has this changed with Designer 8 / ES and if so, is there any special limitation in version of the Reader to use? 8.0 or 8.1? If no on

  • SwingBench an Oracle Stress Test and Benchmark tool

    Last week I was in a RAC workshop hosted by Oracle. In the workshop, Oracle using a tool called Swingbench to generate load for RAC testing. Which is pretty interesting and good tools. Since I have seen quite a few inquiry regarding a good benchmarki

  • Unable to install Phone Tools Update Pack

    Hi, I own Lumia 930 with Denim and I tried to install Phone Tools Update Pack so I would be able to monitor my device but unfortunately I cannot. When I am trying to install I am receiving error 0x80070057 - Unable to scan for packages from the updat

  • The system changes the hour in Chile today but the official change is to happen April, 27th

    The system changes the hour in Chile today but the official change is to happen April, 27th... Would be the Apple team so kind as to fix the mistake?