Switchport Port-Security Violation Shutdown - not saved?

dontstealmyfishdontstealmyfish Member Posts: 2 ■□□□□□□□□□
I am studying for my CCENT/CCNA R&S and I came across something I wasn't sure about. When entering the port-security violation command, the config accepts it...and it works... but after I copy the running-config to the startup-config, it doesn't appear in the Show Running-config.

Likewise, upon reloading the switch, that violation effect no longer works until i enter the config command again. Am I doing something wrong or does that config get saved elsewhere?

I have looked at the cisco documentation for that command and it doesn't seem to say anything in particular about my issue. I have also search the cisco forums as well as the forums here. googling "switchport port-security violation not in config" also appears to turn out nothing of relevance. Nothing seems to be turning up my answer icon_sad.gif

Any help would be greatly appreciated!




I am currently applying this config to Fa0/24.
Setup includes the switch I am configuring having Fa0/24 plugged into another switch via crossover.
Then, 2 routers plugged into that secondary switch so that both of the router interfaces' mac addresses will end up going into the primary switch.

Current Lab config for switch
Building configuration...

Current configuration : 1634 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch_C2950_C
!
!
username admin password 0 password
username wayne password 0 password
username root secret 5 $1$e1qE$b09L1nY2KgpVqEC8YupA70
ip subnet-zero
!
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
vlan 10
 name Test_Vlan
!
vlan 100
 name Test2_Vlan
 state suspend
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 000b.be37.8001
!
interface Vlan1
 ip address 10.0.0.3 255.0.0.0
 no ip route-cache
 shutdown
!
interface Vlan4094
 no ip address
 no ip route-cache
!
ip http server
!
line con 0
 logging synchronous
 login local
line vty 0 4
 logging synchronous
 login local
line vty 5 15
 logging synchronous
 login local
!
!
end



Show Version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA10, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 08-May-07 11:50 by myl
Image text-base: 0x80010000, data-base: 0x8056C000

ROM: Bootstrap program is C2950 boot loader

Switch_C2950_C uptime is 1 hour, 24 minutes
System returned to ROM by power-on
System image file is "flash:c2950-i6q4l2-mz.121-22.EA10.bin"

cisco WS-C2950-24 (RC32300) processor (revision R0) with 20970K bytes of memory.
Processor board ID FOC0927Z0SW
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:14:F2:5F:A6:00
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC09270FNS
Power supply serial number: DAB0923B232
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FOC0927Z0SW
Configuration register is 0xF

Show Post = PASSED

Comments

  • BerkshireHerdBerkshireHerd Member Posts: 185
    shoot, I remember this from CBT Nuggets video but can't remember why! Guess I'll be rewatching it tonight.
    Identity & Access Manager // B.A - Marshall University 2005
  • Vask3nVask3n Member Posts: 517
    Correct me if I'm wrong but I believe that it doesn't show up in the config because this is actually the default behavior. In other words, the default violation is shutdown in the first place and hence even if you manually code it in, it does not show because it's there by default in the first place.
    Working on MS-ISA at Western Governor's University
  • BerkshireHerdBerkshireHerd Member Posts: 185
    Vask3n wrote: »
    Correct me if I'm wrong but I believe that it doesn't show up in the config because this is actually the default behavior. In other words, the default violation is shutdown in the first place and hence even if you manually code it in, it does not show because it's there by default in the first place.

    I think you nailed it!
    Identity & Access Manager // B.A - Marshall University 2005
  • dontstealmyfishdontstealmyfish Member Posts: 2 ■□□□□□□□□□
    Vask3n wrote: »
    Correct me if I'm wrong but I believe that it doesn't show up in the config because this is actually the default behavior. In other words, the default violation is shutdown in the first place and hence even if you manually code it in, it does not show because it's there by default in the first place.

    You might be on to something.

    (After reload....and waiting approximately 30 minutes) running the Show Port-Security for the interface I can see the following:
    Switch_C2950_C#show port-security interface fa0/24
    Port Security              : Enabled
    Port Status                : Secure-shutdown
    Violation Mode             : Shutdown
    Aging Time                 : 0 mins
    Aging Type                 : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses      : 1
    Total MAC Addresses        : 1
    Configured MAC Addresses   : 0
    Sticky MAC Addresses       : 1
    Last Source Address        : 0025.4567.fdb8
    Security Violation Count   : 1
    

    Let me test this out by hooking up two separate devices to the switch...connecting to the switch whose config is in question....reloading the switching.....and try to manually sending packets to the main switch vlan interface. That should help me prove it faster.

    *UPDATE*
    Ah, Vask3n you are definitely correct! The showing of port-security after reload was pretty much proof of that. The testing I did only further proves your answer. Additionally, if i change the port security to RESTRICT...then save Copy Running-config Startup-Config .... when showing the startup-config I see the Violation mode change:

    Startup-Config in regards to Fa0/24
    interface FastEthernet0/24
     switchport mode access
     switchport port-security
     switchport port-security violation restrict
     switchport port-security mac-address sticky
     switchport port-security mac-address sticky 000b.be37.8001
    
  • rocdamikerocdamike Member Posts: 32 ■■□□□□□□□□
    Vask3n wrote: »
    Correct me if I'm wrong but I believe that it doesn't show up in the config because this is actually the default behavior. In other words, the default violation is shutdown in the first place and hence even if you manually code it in, it does not show because it's there by default in the first place.

    I agree. I believe the defaults for port security are violation shutdown and maximum secure addresses: 1.
  • Vask3nVask3n Member Posts: 517
    Cheers, glad we got this straightened out
    Working on MS-ISA at Western Governor's University
Sign In or Register to comment.