[switchport port-security mac ] on [interface VLAN n?]
Hello,
did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
I don't have the material to make that test, and I am not sure if it works or not.
Many thanks!
Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar
Similar Messages
-
Switchport port-security on Routers ?
Hi All,
Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
But the router doesn’t support the switchport command at all.
So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
thanks,
IvanHi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
Switchport port-security maximum
I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
I´m configuring the port-security maximum using the following commands:
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
I dont know why some times this work, some times do not work.
to solve the issue I had to use the three commands:
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
the documentation do not say nothing about if I have to use the three commands together.Hi,
This is an excerpt from the Configuration Guide for your box and IOS-XE release:
Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed per all configured vlans per port equals ONE at the default only.
I hope my English makes sense.
Best regards,
Antonin -
SG-500-28P How to configure switchport port-security violation setting
Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
Seems like the default option is shutdown and I don't know how to change it.
Thank you!Hi,
you can recover this Violation.By using below command:
To enable automatic re-activation of an interface after an Err-Disable shutdown,
use the errdisable recovery cause Global Configuration mode command. To
disable automatic re-activation, use the no form of this command.
Syntax
errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld }
For more information:
Refer this URL:page no :406
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
regards
Moorthy -
NAC and switchport port-security
Dear,Friends
I have NAC working on Out-Of-Band Vitual Gateway.
When I Enable Port Security on the CAM, this don't work very well.
I need allow two mac-address for interface, one workstation and one phone.
The first User is authenticated and placed in the correct VLAN according to the group. Total MAC Addresses increases the workstation and the phone correctly.
Switch#sh port-security interface gigabitEthernet 1/24
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : fcfb.fbca.2c65:89
Security Violation Count : 0
After if I:
- change of user
- bounce the interface
- plug another workstation on interface
Anything happens, and port remains on Access VLAN.
Somebody Know How Can I fix this problem?
RegardsCould you please elaborate on your question? I don't understand what's exactly the problem.
-
Port-security MAC address restrictions and flexconnect
Hi - has anyone else seen this issue?
We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
This was the model and version of the switches.
WS-C2960X-24PS-L 15.0(2)EX4 C2960X-UNIVERSALK9-M
Has anyone else had this?
Any help much appreciated.Hi - has anyone else seen this issue?
We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
This was the model and version of the switches.
WS-C2960X-24PS-L 15.0(2)EX4 C2960X-UNIVERSALK9-M
Has anyone else had this?
Any help much appreciated. -
HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone
Hellow all!
I'm want use port-security for ports on my HP 3800. But PC connected
to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
for data - 1 VLAN (native). Cisco phone add self mac-address in these
two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
switchport port-security maximum 3
switchport port-security mac-address pc_mac
switchport port-security mac-address ip_phone_mac
switchport port-security mac-address ip_phone_mac vlan voice
How i can add one mac in two VLAN's on HP 3800 Switch?
Sorry for my English, please ^_^
This topic first appeared in the Spiceworks CommunityHi Kuarzo, please reference the following;
https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300 -
Port security detecting two MACs on 1 machine.
I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
Version 12.1(19)EA1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
Anybody ran into this before?
Thanks.
BrettAfter a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00e0.988a.7ee6
no ip address
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/1 1 1 3 Restrict
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 5463.0007.eb9e on port Fa0/1.
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
Thanks for the response Thomas. -
After enabling port-security host is not reachable
Hi, after we enable port security on the switch the host will not be reachable, please note that we hve some ports on the same switch configured for 802.1x authentication, below is the configuration for thhe port:
interface fa 0/20
switchport mode access
switchport access vlan 20
swicthport port-security
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-adress sticky
1hello
Possiblely to restrictive for that....can you post
sh port-security int fa0/20
res
Paul -
Hi,
I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
Port one had this equipment already in situe and we wanted to add another laptop to the domain,
We connected a 2nd laptop to port one and successfully joined the domain.
We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
We found that for the laptop to work on port 2 we had to flush port 1.
My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
Cheers
DaveHi David Imrie
You have to check the configuration of your switch interface, probably a switch's port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x” command to be assigned statically.
You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
For example if the maximum is 2, change to 3
Switchx (config-if) # switchport port-security maximum 2.
Switchx (config-if) # no switchport port-security maximum 2.
Switchx (config-if) # switchport port-security maximum 3.
If these solutions do not fix your problem, send me your switch configuration or
If this answer was satisfactory for you, please mark the question as Answered.
Thank you
Greetings, Johnnatan Rodriguez Miranda. -
I had configured this, but when i plug in other machine with different MAC, how come it still able to access the network?
interface FastEthernet0/22
switchport mode access
switchport protected
switchport port-security
switchport port-security maximum 22
switchport port-security violation restrict
switchport port-security mac-address 0060.97ed.6092
Switch_242#show port interface fastEthernet 0/22 address
Secure Mac Address Table
Vlan Mac Address Type Ports Remaining Age
(mins)
1 0060.97ed.6092 SecureConfigured Fa0/22 -
Total Addresses: 1Hello,
you are allowing a maximum of 22 MAC addresses on the port:
switchport port-security maximum 22
But you have only configured one secure MAC address:
switchport port-security mac-address 0060.97ed.6092
If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. In order to actually allow only one MAC address on the port, remove the statement 'switchport port-security maximum 22'.
HTH,
GP -
Port Security Sticky Addresses
Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
switchport mode access
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security mac-address sticky
spanning-tree portfast
I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
JoshIt is not possible to age out sticky entries. With sticky entries, they are added to the running config. So the only way to remove it is through editing the running config.... If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...
-
i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
What are the recommended steps? All are connected with users and all ports are already in use.
- Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
- It's tedious to go switch by switch, port by port
- Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
It sounds like you may have a hard time, since they don't seem to really care about security at this place.
Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically. -
Recommended port-security settings for ASA HA failover
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
interface GigabitEthernet0/8
description ASA-Primary-Out
switchport access vlan 200
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 500
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?Hello,
This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
Per the port-security config guide:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
-Mike -
Packet drops on 2960 with port-security enabled
Hello,
We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
Port Security : EnabledPort Status : Secure-upViolation Mode : RestrictAging Time : 1 minsAging Type : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses : 10Total MAC Addresses : 0Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address:Vlan : 0011.aabb.ccdd:11Security Violation Count : 0
When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
I have found similar reports and bugs for the 2950 and 3750:
https://supportforums.cisco.com/thread/163910
https://supportforums.cisco.com/message/89560
https://tools.cisco.com/bugsearch/bug/CSCeg63177
https://tools.cisco.com/bugsearch/bug/CSCec21652
Is there anything we can do to fix this?
Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
Thank you.Hi Alioune,
This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
Regards
Maybe you are looking for
-
How do I highlight multiple cells in a form?
I created a form in Acrobat X. Previously, when the customer filled the (Excel) form and returned it, our staff would be able to highlight an entire column and paste it into another software package that tracks expenses etc. Now, with a requirement
-
HP Laser Printer 1018 prints in grey
My transcript documents in Word xp are printing in grey. I bought another computer and i've followed all the steps in the printer troubleshooting options still prints in grey. These are all the things i've done to try to rectify the problem with no
-
Mac Mini on 10.6.8 wont play HD i tunes movies. 2gig of ram with 1.66Ghz Core Due processor.
Is it possiable to play HD contant on a 2007 mac mini?
-
Doh! - No composite or HDMI on my TV. Any suggestions?
I looked at the back of the Apple TV before purchasing it, and saw the composite video out & the HDMI connector. Thought I knew I didn't have either of those on my TV, I didn't think about it, and without putting 2 + 2 together, bought an AppleTV. Do
-
3.5mm jack Ear Phones not working with IPAD
I have tried few ear phone (3.5mm jack) all working with Deskptop, Netbook, Laptop but none working with IPAD, it seems, there is a manufacturing fault in IPAD, I going abroad in 5 days, when I contact apple support on the phone, they need at least 7