port-security and network connectivity problem

Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
Hello everyone,

I'm very new to networking and am currently working on my CCNA. I've run into an interesting problem labbing with port-security on a Cisco 3550.

I've configured fa 0/31 on one of the switches as follows:

switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky

The problem is, the moment when enable port security with the "switchport port-security" command, I immediately lose network connectivity on the PC. If I do "no switchport port-security", the connection comes back.

With port-security disabled, I can do a "show mac address-table" and I see the MAC of the PC listed at fa 0/31. When port-security is enabled, I no longer see the MAC address.

If I do "show port-security" with the port-security enabled, I do not see the anything under "CurrentAddr" for learned MAC addresses, nor do I ever see the MAC populate when I do "sh run int fa 0/31"

"terminal monitor" does not show me anything when I switch between enabled and disabled. I've tried two different PC's and two different Cisco 3550 switches and I get the same result.

I would appreciate any insight or suggestions.

Thanks!

Robert

Comments

  • mendysuemendysue Member Posts: 22 ■■■□□□□□□□
    My guess would be that you need to enable port security and then run the above commands.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    I haven't tried maximum 2 but I could see that in conjunction with sticky causing an error. Since sticky is suppose to capture what is connected, where I bet if you had a switch and the computer plugged in it would work. Does it work with maximum 1?
  • sadfjlfdo24sadfjlfdo24 Banned Posts: 59 ■■□□□□□□□□
    what is your show run and show ver?
  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    With "switchport port-security maximum 1", the connection still drops. Even if I remove the command all together and let it default to 1, same problem.




    Here's my sh run and sh ver:

    SW1#sh run
    Building configuration...

    Current configuration : 5882 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SW1
    !
    enable secret 5
    enable password
    !
    username
    !
    !
    aaa new-model
    !
    !
    !
    !
    !
    aaa session-id common
    authentication mac-move permit
    ip subnet-zero
    ip domain-name
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-1093877888
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1093877888
    revocation-check none
    rsakeypair TP-self-signed-1093877888
    !
    !
    crypto pki certificate chain TP-self-signed-1093877888
    certificate self-signed 01

    spanning-tree mode pvst
    spanning-tree etherchannel guard misconfig
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    ip ssh version 2
    !
    !
    interface FastEthernet0/1
    switchport mode dynamic desirable
    !
    interface FastEthernet0/2
    switchport mode dynamic desirable
    !
    interface FastEthernet0/3
    switchport mode dynamic desirable
    !
    interface FastEthernet0/4
    switchport mode dynamic desirable
    !
    interface FastEthernet0/5
    switchport mode dynamic desirable
    !
    interface FastEthernet0/6
    switchport mode dynamic desirable
    !
    interface FastEthernet0/7
    switchport mode dynamic desirable
    !
    interface FastEthernet0/8
    switchport mode dynamic desirable
    !
    interface FastEthernet0/9
    switchport mode dynamic desirable
    !
    interface FastEthernet0/10
    switchport mode dynamic desirable
    !
    interface FastEthernet0/11
    switchport mode dynamic desirable
    !
    interface FastEthernet0/12
    switchport mode dynamic desirable
    !
    interface FastEthernet0/13
    switchport mode dynamic desirable
    !
    interface FastEthernet0/14
    switchport mode dynamic desirable
    !
    interface FastEthernet0/15
    switchport mode dynamic desirable
    !
    interface FastEthernet0/16
    switchport mode dynamic desirable
    !
    interface FastEthernet0/17
    switchport mode dynamic desirable
    !
    interface FastEthernet0/18
    switchport mode dynamic desirable
    !
    interface FastEthernet0/19
    switchport mode dynamic desirable
    !
    interface FastEthernet0/20
    switchport mode dynamic desirable
    !
    interface FastEthernet0/21
    switchport mode dynamic desirable
    !
    interface FastEthernet0/22
    switchport mode dynamic desirable
    !
    interface FastEthernet0/23
    switchport mode dynamic desirable
    !
    interface FastEthernet0/24
    switchport mode dynamic desirable
    !
    interface FastEthernet0/25
    switchport mode dynamic desirable
    !
    interface FastEthernet0/26
    switchport mode dynamic desirable
    !
    interface FastEthernet0/27
    switchport mode dynamic desirable
    !
    interface FastEthernet0/28
    switchport mode dynamic desirable
    !
    interface FastEthernet0/29
    switchport mode dynamic desirable
    !
    interface FastEthernet0/30
    switchport mode dynamic desirable
    !
    interface FastEthernet0/31
    switchport mode access
    switchport port-security
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/32
    switchport mode dynamic desirable
    !
    interface FastEthernet0/33
    switchport mode dynamic desirable
    !
    interface FastEthernet0/34
    switchport mode dynamic desirable
    !
    interface FastEthernet0/35
    switchport mode dynamic desirable
    !
    interface FastEthernet0/36
    switchport mode dynamic desirable
    !
    interface FastEthernet0/37
    switchport mode dynamic desirable
    !
    interface FastEthernet0/38
    switchport mode dynamic desirable
    !
    interface FastEthernet0/39
    switchport mode dynamic desirable
    !
    interface FastEthernet0/40
    switchport mode dynamic desirable
    !
    interface FastEthernet0/41
    switchport mode dynamic desirable
    !
    interface FastEthernet0/42
    switchport mode dynamic desirable
    !
    interface FastEthernet0/43
    switchport mode dynamic desirable
    !
    interface FastEthernet0/44
    switchport mode dynamic desirable
    !
    interface FastEthernet0/45
    switchport mode dynamic desirable
    !
    interface FastEthernet0/46
    switchport mode dynamic desirable
    !
    interface FastEthernet0/47
    switchport mode dynamic desirable
    !
    interface FastEthernet0/48
    switchport mode dynamic desirable
    !
    interface GigabitEthernet0/1
    switchport mode dynamic desirable
    !
    interface GigabitEthernet0/2
    switchport mode dynamic desirable
    !
    interface Vlan1
    ip address 192.168.1.15 255.255.255.0
    !
    ip classless
    ip http server
    ip http secure-server
    !
    ip sla enable reaction-alerts
    !
    control-plane
    !
    !
    line con 0
    password
    logging synchronous
    line vty 0 4
    exec-timeout 0 0
    password
    logging synchronous
    transport input telnet ssh
    line vty 5 15
    exec-timeout 0 0
    password
    logging synchronous
    transport input telnet ssh
    !
    end


    SW1#sh ver
    Cisco IOS Software, C3550 Software (C3550-IPBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
    Copyright (c) 1986-2009 by Cisco Systems, Inc.
    Compiled Fri 25-Sep-09 09:04 by sasyamal
    Image text-base: 0x00003000, data-base: 0x01178C54

    ROM: Bootstrap program is C3550 boot loader

    SW1 uptime is 7 minutes
    System returned to ROM by power-on
    System image file is "flash:/c3550-ipbasek9-mz.122-52.SE/c3550-ipbasek9-mz.122-52.SE.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    Export Compliance Product Report Application

    If you require further assistance please contact us by sending email to
    export@cisco.com.

    Cisco WS-C3550-48 (PowerPC) processor (revision D0) with 65526K/8192K bytes of memory.
    Processor board ID CHK0626V0JN
    Last reset from warm-reset
    Running Layer2/3 Switching Image

    Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

    Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

    Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

    Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

    Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

    Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

    48 FastEthernet interfaces
    2 Gigabit Ethernet interfaces

    The password-recovery mechanism is enabled.
    384K bytes of flash-simulated NVRAM.
    Base ethernet MAC Address: 00:0A:41:33:40:80
    Motherboard assembly number: 73-5701-10
    Power supply part number: 34-0967-01
    Motherboard serial number: CAT06250KU6
    Power supply serial number: LIT062300XJ
    Model revision number: D0
    Motherboard revision number: A0
    Model number: WS-C3550-48-EMI
    System serial number: CHK0626V0JN
    Configuration register is 0x10F

    SW1#



    Thanks for your help!

    Robert
  • sadfjlfdo24sadfjlfdo24 Banned Posts: 59 ■■□□□□□□□□
    What do you get for "show port-security int fa0/31" ?

    Try running "clear port-security dynamic" and enabling port security on int fa0/31 afterwards.
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    Try it in this order.

    switchport mode access
    switchport port-security
    switchport port-security maximum 2
    switchport port-security mac-address sticky

  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    What do you get for "show port-security int fa0/31" ?

    Try running "clear port-security dynamic" and enabling port security on int fa0/31 afterwards.


    Here's my output:

    SW1(config-if)#do sh port int fa 0/31
    Port Security : Enabled
    Port Status : Secure-up
    Violation Mode : Shutdown
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 2
    Total MAC Addresses : 0
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 0000.0000.0000:0
    Security Violation Count : 0

    SW1(config-if)#

    I'm still having the same issue after running "clear port-security dynamic".

    Thanks!
  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    DCD wrote: »
    Try it in this order.

    switchport mode access
    switchport port-security
    switchport port-security maximum 2
    switchport port-security mac-address sticky


    I tried this as well with no luck.

    Do you think it could have something to do with the way I have my lab setup with my home router? I've got 3 3550 switches connected together with dual links between them all. I'm connected via SSH into my first switch with an ethernet cable running back to my home linksys router for my internet connection, then to my modem and PC. Could it be related to an STP feature?

    Sorry for my noob questions, lol.

    Thanks for your help.

    Robert
  • sadfjlfdo24sadfjlfdo24 Banned Posts: 59 ■■□□□□□□□□
    What do you mean by 'dual links between them all'? Are you using a crossover cable? I dont see any portchannel or trunk ports configured in that show run you posted. You are connected via SSH to your first switch - is this the switch you ran commands on (SW1) ?
  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    Yes, two crossover cables between each switch. All of the above commands are from SW1.
  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    Well, I consoled into just the one switch without anything else being connected except the laptop plugged into fa 0/31. It seems to work now. I'm getting the MAC address recognized next to the sticky command if I do sh run int fa 0/31.

    Well, I can carry on with my learning and try to figure out why I was having the issue with the way I had everything set up.

    Robert
Sign In or Register to comment.