Packet Tracer - switchport port-security ?

JeanM · March 2012

I am using PT 5.3.3.0019, switch and individual hosts. I then configured fa0/1 with switchport port-security maximum 1; and switchport port-security violation shutdown and connected a hub to that port with 2 pcs. It does not shut the port down?

I can ping all I want and you can see .ed9e and 560e are on Fa0/1, but it's green?

Switch#sh mac address-table
Mac Address Table

Vlan Mac Address Type Ports
----

1 0001.c760.0b95 DYNAMIC Fa0/5
1 0050.0fc3.ed9e DYNAMIC Fa0/1
1 0060.3e0e.c992 DYNAMIC Fa0/3
1 00d0.ff52.560e DYNAMIC Fa0/1
1 00e0.a30e.7c66 DYNAMIC Fa0/6
1 00e0.b07d.ba4c DYNAMIC Fa0/4
Switch#

Switch#config t
Switch(config)#inter f0/1
Switch(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode
Switch(config-if)#switchport port-security violation shutdown

Switch#show ip interface brief
Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual up up

Roguetadhg · March 2012

do:
(switch)# show port-security interface fastethernet 0/1

You should see a good bit of information about port-security for that port... example code from cisco docs:

Switch# [B]show port-security interface fastethernet 3/12 [/B]
[B] 
Port Security              :Enabled  
 
Port Status                :Secure-up  
 
Violation Mode             :Shutdown  
 
Aging Time                 :0  
 
Aging Type                 :Absolute  
 
SecureStatic Address Aging :Enabled  
 
Maximum MAC Addresses      :5  
 
Total MAC Addresses        :0  
 
Configured MAC Addresses   :0  
 
Sticky MAC Addresses       :11  
 
Last Source Address        :0000.0000.0401  
 
Security Violation Count   :0 
[/B]

JeanM · March 2012

Here you go, I guess it's not enabling? I am going to try this on the 2950 I have at home in a couple of hours, just wanted to try these in PT , going by the CCENT book Chapter 7 - switching / port security.

Switch#show port-security interface fa0/1
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

Roguetadhg · March 2012

Correct. It's not enable. It's not going to shutdown

These are the steps to enable Port Security:

[B](switch-if)# switchport mode access
[COLOR=#b22222](switch-if)#[/COLOR][COLOR=#ff0000] switchport port-security[/COLOR][/B]   [Enables Port Security]
-- Optional --
(switch-if)# switchport port-security maximum [I]number[/I]
(switch-if)# switchport port-security violation {protect | restrict | shutdown}
(switch-if)# switchport port-security mac-address [I]mac-address[/I]
(switch-if)# switchport port-security mac-address sticky

I had to pull out and hunt for Port-security myself in the ICND1 book. It's been a long, long time since I did that. Thank you for the refresher!

...man, i really didn't take notes in this book...

Ramair2k · March 2012

Do a sh interface fa0/1 switchport......operational mode should be access, meaning you have to static the interface for access, <switchport mode access>then enable port security by issuing the switchport port-security <enter> command

JeanM · March 2012

Ahh, so you have to run switchport mode access first by itself? yep, that was it. Thank you

Switch#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

JeanM · March 2012

Ramair2k wrote: »

Do a sh interface fa0/1 switchport......operational mode should be access, meaning you have to static the interface for access, <switchport mode access>then enable port security by issuing the switchport port-security <enter> command

It seems to be okay now , the book didn't show running the switchport mode access command before switchport port-security. I think that was the missing step. Chapter 7 / page 439 does not show this, but later in Chapter 9, page 492 does show it LOL.

Switch#sh interfaces fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none

Yep, confirmed working now. I did the show mac address-table, then pinged the pc's and issued the show mac address-table command again to see it populate the mac table. As soon as I pinged the 2nd pc on the hub hanging off the fa0/1, it shut the port down.

Switch#show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.0FC3.ED9E:1
Security Violation Count : 1

Sweet!

Ramair2k · March 2012

Good stuff

cpohlad · March 2012

I think if you don't specify it as an access port it's dynamic desirable in which (correct me if I am wrong) it picks based on what the other side is doing.

MAC_Addy · March 2012

JeanM wrote: »

switchport mode access

Easiest way is to do the range command, that way you can ensure that port security is enabled on all ports. That's if you want it on all ports.

Roguetadhg · March 2012

I still remember trying to do the range command on the router and thinking "Damn, no shortcut"

cpohlad wrote: »

I think if you don't specify it as an access port it's dynamic desirable in which (correct me if I am wrong) it picks based on what the other side is doing.

Yeah. Setting the switchport mode's "Administrative Mode" to anything other than "trunk" and "access" goes by what the other side is doing, or not doing:

The Administrative Modes (configured by the switchport mode command):
Dynamic Desirable: "Desires" to trunk (that's how I remember it to this day). It wants and needs to trunk but will allow itself to be set into dynamic Access [I think?] if the other side is setup as an Administrative Mode: Access. Default Administrative mode for switches - very dangerous!

Dynamic Auto: Passive. It won't send out any type of negotiations. It'll be in "Operational Mode: Access" if the other host port is set up as a "Dynamic Auto".

Situation:
If two switches are connected by a cross-over cable. Here are their respective Administrative Modes.
Switch1: Port F0/1 = Dynamic Desirable
Switch2: Port F0/1 = Dynamic Auto

They'll initiate trunking. Because the Desireable will send out negotiations to trunk.

higherho · March 2012

Roguetadhg wrote: »

do:
(switch)# show port-security interface fastethernet 0/1

You should see a good bit of information about port-security for that port... example code from cisco docs:

Switch# [B]show port-security interface fastethernet 3/12 [/B]
[B] 
Port Security              :Enabled  
 
Port Status                :Secure-up  
 
Violation Mode             :Shutdown  
 
Aging Time                 :0  
 
Aging Type                 :Absolute  
 
SecureStatic Address Aging :Enabled  
 
Maximum MAC Addresses      :5  
 
Total MAC Addresses        :0  
 
Configured MAC Addresses   :0  
 
Sticky MAC Addresses       :11  
 
Last Source Address        :0000.0000.0401  
 
Security Violation Count   :0 
[/B]

Also, this is the only way (that I know of) to show that your port is in shut down mode. If you do a show run it will not show it (it will show violation protect, etc). Reason being is that violation shutdown is the cisco default.

pacotaco · March 2012

JeanM wrote: »

I think that was the missing step.

Don't forget one of your missing steps was not enabling port security with the switchport port-security command.

From your OP you entered switchport port-security maximum 1 as your first command. This does not enable port security.

If you noticed when you typed switchport port-security ? one of your options was <CR>

Good luck!

JeanM · March 2012

Yep, thank you all, I practiced some more on this and it makes more sense now on how it works and it's working.

Packet Tracer - switchport port-security ?

Comments