Port security Shutdown, but not sure how or why?

sub-zerosub-zero Member Posts: 23 ■□□□□□□□□□
I have configured an interface fa0/4 for a maximum of 2, and sticky also.

However the interface shutdowns, when the second mac address is attempting to send the frame, can any one help.

Surely it would only shutdown and trigger a violation on the 3rd MAC address.

Switch# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/3 2 1 0 Shutdown
Fa0/4 2 1 1 Shutdown
Switch#show po
Switch#show port-security fa0/4
^
% Invalid input detected at '^' marker.

Switch#show port-security in
Switch#show port-security interface fa0/4
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0060.7040.9534:3
Security Violation Count : 1


Switch#show run
Building configuration...


Current configuration : 1561 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.9A97.95A9
switchport port-security mac-address sticky 0060.7040.9534
!
interface FastEthernet0/4
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.9A97.95A9
!

why is the interface shutting down after the 1 count, even though I have configured a 2 maximum.??

Comments

  • CertifiedMonkeyCertifiedMonkey Member Posts: 172 ■■□□□□□□□□
    Once a MAC address is sticky learned or manually entered on a port, it can not be seen on another port IN THE SAME VLAN or it will trigger a security violation. In this case, 0004.9A97.95A9 was learned on port f0/4 (which is a port in VLAN 3), so if you were to unplug the PC with that MAC address and plug it into another port that is also in VLAN 3 (F0/3 in this case) then it will cause a violation.

    Based on your show output, this is likely what happened seeing that the MAC address was sticky learned on two ports in the same VLAN (F0/3 and F0/4).
  • sub-zerosub-zero Member Posts: 23 ■□□□□□□□□□
    Once a MAC address is sticky learned or manually entered on a port, it can not be seen on another port IN THE SAME VLAN or it will trigger a security violation. In this case, 0004.9A97.95A9 was learned on port f0/4 (which is a port in VLAN 3), so if you were to unplug the PC with that MAC address and plug it into another port that is also in VLAN 3 (F0/3 in this case) then it will cause a violation.

    Based on your show output, this is likely what happened seeing that the MAC address was sticky learned on two ports in the same VLAN (F0/3 and F0/4).


    Thanks

    Been reading through Odom and watching CBT and not seen this mentioned before, so i'm glad I came across this while playing around with port security.

    So just to clarify:

    If a Mac address is already learnt, via the #switchport port-security mac address ( either manually entered of sticky) then it CANNOT be seen on another interface in the SAME VLAN?

    so basically, the only was to resolve this would be to negate the #switchport port-secuirty mac-address sticky command on the interface the MAC Address was seen on first?

    or are there any other ways to resolve this?

    Thanks in advance.
Sign In or Register to comment.