port-security and network connectivity problem

Hello everyone,

I'm very new to networking and am currently working on my CCNA. I've run into an interesting problem labbing with port-security on a Cisco 3550.

I've configured fa 0/31 on one of the switches as follows:

switchport mode access
switchport port-security maximum 2
switchport port-security mac-address sticky

The problem is, the moment when enable port security with the "switchport port-security" command, I immediately lose network connectivity on the PC. If I do "no switchport port-security", the connection comes back.

With port-security disabled, I can do a "show mac address-table" and I see the MAC of the PC listed at fa 0/31. When port-security is enabled, I no longer see the MAC address.

If I do "show port-security" with the port-security enabled, I do not see the anything under "CurrentAddr" for learned MAC addresses, nor do I ever see the MAC populate when I do "sh run int fa 0/31"

"terminal monitor" does not show me anything when I switch between enabled and disabled. I've tried two different PC's and two different Cisco 3550 switches and I get the same result.

I would appreciate any insight or suggestions.

Thanks!

Robert

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

mendysue

My guess would be that you need to enable port security and then run the above commands.

TechGuru80

I haven't tried maximum 2 but I could see that in conjunction with sticky causing an error. Since sticky is suppose to capture what is connected, where I bet if you had a switch and the computer plugged in it would work. Does it work with maximum 1?

sadfjlfdo24

what is your show run and show ver?

Nightflier101BL

With "switchport port-security maximum 1", the connection still drops. Even if I remove the command all together and let it default to 1, same problem.

Here's my sh run and sh ver:

SW1#sh run
Building configuration...

Current configuration : 5882 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
enable secret 5
enable password
!
username
!
!
aaa new-model
!
!
!
!
!
aaa session-id common
authentication mac-move permit
ip subnet-zero
ip domain-name
!
!
!
!
crypto pki trustpoint TP-self-signed-1093877888
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1093877888
revocation-check none
rsakeypair TP-self-signed-1093877888
!
!
crypto pki certificate chain TP-self-signed-1093877888
certificate self-signed 01

spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0/1
switchport mode dynamic desirable
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport mode dynamic desirable
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface FastEthernet0/13
switchport mode dynamic desirable
!
interface FastEthernet0/14
switchport mode dynamic desirable
!
interface FastEthernet0/15
switchport mode dynamic desirable
!
interface FastEthernet0/16
switchport mode dynamic desirable
!
interface FastEthernet0/17
switchport mode dynamic desirable
!
interface FastEthernet0/18
switchport mode dynamic desirable
!
interface FastEthernet0/19
switchport mode dynamic desirable
!
interface FastEthernet0/20
switchport mode dynamic desirable
!
interface FastEthernet0/21
switchport mode dynamic desirable
!
interface FastEthernet0/22
switchport mode dynamic desirable
!
interface FastEthernet0/23
switchport mode dynamic desirable
!
interface FastEthernet0/24
switchport mode dynamic desirable
!
interface FastEthernet0/25
switchport mode dynamic desirable
!
interface FastEthernet0/26
switchport mode dynamic desirable
!
interface FastEthernet0/27
switchport mode dynamic desirable
!
interface FastEthernet0/28
switchport mode dynamic desirable
!
interface FastEthernet0/29
switchport mode dynamic desirable
!
interface FastEthernet0/30
switchport mode dynamic desirable
!
interface FastEthernet0/31
switchport mode access
switchport port-security
switchport port-security mac-address sticky
!
interface FastEthernet0/32
switchport mode dynamic desirable
!
interface FastEthernet0/33
switchport mode dynamic desirable
!
interface FastEthernet0/34
switchport mode dynamic desirable
!
interface FastEthernet0/35
switchport mode dynamic desirable
!
interface FastEthernet0/36
switchport mode dynamic desirable
!
interface FastEthernet0/37
switchport mode dynamic desirable
!
interface FastEthernet0/38
switchport mode dynamic desirable
!
interface FastEthernet0/39
switchport mode dynamic desirable
!
interface FastEthernet0/40
switchport mode dynamic desirable
!
interface FastEthernet0/41
switchport mode dynamic desirable
!
interface FastEthernet0/42
switchport mode dynamic desirable
!
interface FastEthernet0/43
switchport mode dynamic desirable
!
interface FastEthernet0/44
switchport mode dynamic desirable
!
interface FastEthernet0/45
switchport mode dynamic desirable
!
interface FastEthernet0/46
switchport mode dynamic desirable
!
interface FastEthernet0/47
switchport mode dynamic desirable
!
interface FastEthernet0/48
switchport mode dynamic desirable
!
interface GigabitEthernet0/1
switchport mode dynamic desirable
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
ip address 192.168.1.15 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
control-plane
!
!
line con 0
password
logging synchronous
line vty 0 4
exec-timeout 0 0
password
logging synchronous
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
password
logging synchronous
transport input telnet ssh
!
end

SW1#sh ver
Cisco IOS Software, C3550 Software (C3550-IPBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 09:04 by sasyamal
Image text-base: 0x00003000, data-base: 0x01178C54

ROM: Bootstrap program is C3550 boot loader

SW1 uptime is 7 minutes
System returned to ROM by power-on
System image file is "flash:/c3550-ipbasek9-mz.122-52.SE/c3550-ipbasek9-mz.122-52.SE.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
Export Compliance Product Report Application

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco WS-C3550-48 (PowerPC) processor (revision D0) with 65526K/8192K bytes of memory.
Processor board ID CHK0626V0JN
Last reset from warm-reset
Running Layer2/3 Switching Image

Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

48 FastEthernet interfaces
2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.
384K bytes of flash-simulated NVRAM.
Base ethernet MAC Address: 00:0A:41:33:40:80
Motherboard assembly number: 73-5701-10
Power supply part number: 34-0967-01
Motherboard serial number: CAT06250KU6
Power supply serial number: LIT062300XJ
Model revision number: D0
Motherboard revision number: A0
Model number: WS-C3550-48-EMI
System serial number: CHK0626V0JN
Configuration register is 0x10F

SW1#

Thanks for your help!

Robert

sadfjlfdo24

What do you get for "show port-security int fa0/31" ?

Try running "clear port-security dynamic" and enabling port security on int fa0/31 afterwards.

DCD

Try it in this order.

switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky

Nightflier101BL

sadfjlfdo24 wrote: »

What do you get for "show port-security int fa0/31" ?

Try running "clear port-security dynamic" and enabling port security on int fa0/31 afterwards.

Here's my output:

SW1(config-if)#do sh port int fa 0/31
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

SW1(config-if)#

I'm still having the same issue after running "clear port-security dynamic".

Thanks!

Nightflier101BL

DCD wrote: »

Try it in this order.

switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky

I tried this as well with no luck.

Do you think it could have something to do with the way I have my lab setup with my home router? I've got 3 3550 switches connected together with dual links between them all. I'm connected via SSH into my first switch with an ethernet cable running back to my home linksys router for my internet connection, then to my modem and PC. Could it be related to an STP feature?

Sorry for my noob questions, lol.

Thanks for your help.

Robert

sadfjlfdo24

What do you mean by 'dual links between them all'? Are you using a crossover cable? I dont see any portchannel or trunk ports configured in that show run you posted. You are connected via SSH to your first switch - is this the switch you ran commands on (SW1) ?

Nightflier101BL

Yes, two crossover cables between each switch. All of the above commands are from SW1.

Nightflier101BL

Well, I consoled into just the one switch without anything else being connected except the laptop plugged into fa 0/31. It seems to work now. I'm getting the MAC address recognized next to the sticky command if I do sh run int fa 0/31.

Well, I can carry on with my learning and try to figure out why I was having the issue with the way I had everything set up.

Robert