switchport port-security problem

Hi all

I wanted to test using the switchport port-security with mac address fixed for voip and sticky for the vlan access.
to do this, I created the following configuration:

switchport port-security maximum 2
switchport port-security
aging of the switchport port security 5
switchport port-security-address mac sticky
voice of vlan switchport port-security-address mac e8ba.7006.59a4

the problem is the mac address that switch learns to access vlan, never goes away even if the device is no longer connected.

switchport port-security maximum 2
switchport port-security
aging of the switchport port security 5
switchport port-security-address mac sticky
switchport port-security-address mac c434.6b24.5db9 sticky vlan access
voice of vlan switchport port-security-address mac e8ba.7006.59a4

Can you help me?

This should make them disappear without having to use any statement when the switchport learns a new mac again if his manual, you have to bounce the port as well

Disable them sticky interface port-security

Tags: Cisco Network

Similar Questions

  • Errors of run Switchport Port-Security

    So I'm a bit new to switchport security.  I work on most of the ports in one location.  Its ports where I either switchport voice and switchport access VLAN or just switchport voice VLAN.  For some reason, these types of ports going into err - disable.  Here are a few examples.  Indications as to why it would stop even when I have the right MAC address would be very useful. Interface Fa0/3 has a phone attached to it and a connected computer the phone is off.

    interface FastEthernet0/2
    Description Table phone
    switchport mode access
    switchport voice vlan 2
    switchport port-security
    security violation restrict port switchport
    switchport port-security-address mac 34a8.4ea6.0f95
    spanning tree portfast

    interface FastEthernet0/3
    SAM PHONE x 1623 description
    switchport access vlan 3
    switchport mode access
    switchport voice vlan 2
    switchport port-security maximum 2
    switchport port-security-address mac 442b.031a.2975 - phone MAC
    switchport port-security-address mac e840.f223.8842 - MAC computer
    spanning tree portfast

    2 442b.031a.2975 DYNAMICS Fa0/3

    2 34a8.4ea6.0f95 DYNAMICS Fa0/2

    The newspaper says this whenever I turn on port security.  Any other port where there is only 1 VLAN or 1 device, it works fine no problem.

    27 June 2015 23:59:56: % PORT_SECURITY-2-PSECURE_VIOLATION: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.
    June 28, 2015 00:00:01: PM-4-ERR_DISABLE %: psecure-violation error found on Fa0/3, putting the Fa0/3 in State of err - disable
    June 28, 2015 00:00:02: % LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state down
    June 28, 2015 00:00:03: % LINK-3-UPDOWN: Interface FastEthernet0/3, changed State to down
    June 28, 2015 00:00:04: PORT_SECURITY-2-PSECURE_VIOLATION %: security breach took place, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.

    I know I'm missing something because I am new to using switchport security.  I am wanting to lock the ports to prevent devices not allowed to plug in on my network.  I have disabled all DHCP, but I want to take a little further and prevent them to enter the network even and probe the network.

    EDIT - You forgot to mention that it is a 2960 version 15.0 (2) SE5

    Thank you

    David

    David, Kevin,

    Let me join you.

    The way I see the Fa0/2 work with its original configuration is:

    • The maximum number of secure MAC addresses is 1.
    • Access to the VIRTUAL LAN is 1, the voice VLAN is 2.
    • The static safe MAC address 34a8.4ea6.0f95 is added to the access VLAN, not to the voice VLAN
    • When the phone starts to make known by the voice VLAN, MAC address cannot be dynamically added to the list because the maximum allowed number of MAC secure is 1 and the list is already full. The fact that its MAC address is configured statically is irrelevant, because it is not associated with the voice VLAN.

    Try to delete the line

    switchport port-security-address mac 34a8.4ea6.0f95

    and replace with

    voice of vlan switchport port-security-address mac 34a8.4ea6.0f95

    and see if it solves the problem.

    Best regards
    Peter

  • Activation of port security on C4507R stop port

    I'm trying to enable port security on of several 4507R. When I try to set up a range of ports on the switch will randomly 1 or 2 in err - disable.  It's different every time I have applied the config to the same port group.  However if I do them one at a time it seems to work.  But I really don't want to configure a port of 6 switches completely filled at once.   We also have a lot of 3750's and they gave me no problems using a range of ports.

    Here is the config I am trying to configure

    switchport port-security

    switchport port-security maximum 2

    aging of the switchport port security 1

    inactivity of aging switchport port-security type

    The IOS version is. 12.2 (25) EWA8

    Try to rearrange the order in which you put orders in. Put 'switchport port-security' last, as immediately when you enter this command, port security is enabled with the default address value maximum 1 mac interface. If a port has two hosts on it before the next command affecting the maximum of 2 is entered, it will get turned off.

    Another option is to activate temporarily disable on error:

    errdisable recovery cause psecure-violation

    interval recovery errdisbale "seconds".

    Sent by Cisco Support technique iPad App

  • Laboratory of port security exercise - do not behave as expected.

    Hello

    I'm working on a CCENT training lab to demonstrate the configuration of port security.

    I have a Catalyst 3550 switch software Cisco's IOS, software of C3550 (C3550-IPSERVICESK9-M), SE Version 12.2 (52), VERSION of the SOFTWARE (fc3). I have two computers connected on ports fa0/1 and fa0/2 with IP addresses of 10.0.0.20/24 and 10.0.0.12/24 respectively. Without active port security, each computer can ping successfully the other.

    As soon as I change the configuration to add port security on fa0/1 I am not able to ping between the two computers, nor can I ping 10.0.0.20 from the console of the switch, but I don't know why! If I delete it again the pings succeed again.

    I expect that the switch must learn the computer connected to fa0/1 MAC and stop if there is subsequently any traffic from another Mac.

    Interestingly, the 'show mac address-table' command shows that the MAC connected to fa0/1 when port security is not enabled. I don't know if this is relevant.

    Can someone help me diagnose what is happening?

    Thank you.

    Configuration before change:

    interface FastEthernet0/1

    switchport mode access

    Speed 100

    full duplex

    spanning tree portfast

    !

    interface FastEthernet0/2

    switchport mode access

    Speed 100

    full duplex

    spanning tree portfast

    !

    Configuration after modification:

    interface FastEthernet0/1

    switchport mode access

    switchport port-security

    Speed 100

    full duplex

    spanning tree portfast

    !

    interface FastEthernet0/2

    switchport mode access

    Speed 100

    full duplex

    spanning tree portfast

    !

    Other diagnoses (after change):

    S1 # show ip interface brief

    Interface IP-Address OK? Method State Protocol

    Vlan1 10.0.0.5 YES NVRAM up up

    FastEthernet0/1 no YES unset upward, upward

    FastEthernet0/2 not assigned YES unset upward, upward

    #show S1 port-security

    Secure the security Port MaxSecureAddr CurrentAddr SecurityViolation Action

    (County)       (County)          (County)

    ---------------------------------------------------------------------------

    FA0/1 1 0 0 stop

    ---------------------------------------------------------------------------

    Total addresses in the system (with the exception of a mac per port): 0

    Limit Max addresses in the system (with the exception of a mac per port): 5120

    S1 #show - interface fa0/1 port security

    Port security: enabled

    Port State: Secure-up

    Mode of violation: stop

    Aging time: 0 mins

    Type of aging: absolute

    Aging of SecureStatic address: disabled

    Maximum MAC addresses: 1

    MAC addresses total: 0

    Configured MAC addresses: 0

    Sticky MAC addresses: 0

    Last Source address: Vlan: 0000.0000.0000:0

    Security Violation count: 0

    S1 #show interfaces fa0/1

    FastEthernet0/1 is up, line protocol is up (connected)

    Material is Fast Ethernet, the address is 000f.f796.d781 (bia 000f.f796.d781)

    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

    reliability 255/255, txload 1/255, rxload 1/255

    Encapsulation ARPA, loopback not set

    KeepAlive set (10 sec)

    Full-duplex, 100 MB/s, media type is 10/100BaseTX

    input stream control is turned off, output flow control is not supported

    Type of the ARP: ARPA, ARP Timeout 04:00

    Last entry exit ever, 00:00:01, blocking exit ever

    Final cleaning of "show interface" counters never

    Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

    Strategy of queues: fifo

    Output queue: 0/0 (size/max)

    5 minute input rate 0 bps, 0 packets/s

    5 minute output rate 0 bps, 0 packets/s

    3494 packets input, 587250 bytes, 0 no buffer

    Received 1593 broadcasts (0 multicasts)

    0 Runts, 0 giants, 0 shifters

    entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

    0 watchdog, 1254 multicast, break 0 comments

    entry packets 0 with condition of dribble detected

    39631 packets output, 3311977 bytes, 0 underruns

    0 output errors, 0 collisions, 1 interface resets

    0 babbles, collision end 0, 0 deferred

    carrier, 0 no carrier, lost 0 0 output BREAK

    output buffer, the output buffers 0 permuted 0 failures

    #show mac address table S1 | include DYN

    1 b827.ebed.e2d9 DYNAMICS Fa0/2

    S1 #show ip arp

    Protocol of age (min) address Addr Type Interface equipment

    Internet 10.0.0.12 5 b827.ebed.e2d9 ARPA Vlan1

    Internet 10.0.0.5 - 000f.f796.d780 ARPA Vlan1

    Internet 10.0.0.20 32 10dd.b1f1.0c64 ARPA Vlan1

    Do you have any other platform to configure your lab? because it should work ideally and the configuration is fine. However, to complete your lab, you already have workaround...

    I suspect that this question is something related to the hardware you use or due to a BUG.

    Please note the useful comment

  • N2048 port security does not

    Hi Experts,

    Only, we have deployed a new site that uses the Dell N2048 switches in a stack.

    Now we would add port security to the switch, Port-MAC locking to lockdown one port if another computer.

    According to the manual, to put in place we only need of to the port to locked under the MISTLETOE under switching, network security, port security.

    This does not activate it.

    We tried to add via the command line, in the ports of test, it now shows:

    switchport security of dynamic ports 1

    Still, port security is not enabled. There is another thing that must be enabled in the world to do this job or other commands?

    Thank you

    The output of port security-# show is as follows:

    Port Security Administration Mode: enabled

    It is possible that the tests were not done fast enough. I spent the time-out and ask them to test again.

    Thank you

  • PowerConnect 35XX port security

    Hello. I am trying to locate a CLI command that will allow me quickly clear course MAC addresses for a port secure with port security.

    My configuration of the interface is fairly simple.

    dot1x multiple-host
    dry port max 2
    dry port stop throw

    If I connect to a different host, the original at the port this as it should and travel to port security. Now, everything is fine, if I plan on the reconnection of the original host. Issue the global command "set interface active ethernet eth #" and the port is back online. The problem comes when I want to change the host. I have to completely remove the dot1x and the security configuration of the port [minus the max], 'set active interface' and then add security dot1x port for the interface configuration.

    Is there a way to quickly clean the secure the port addresses so that the new addresses can be learned?

    Thanks in advance.

    -Andrew

    Try this command and see if it works. Console # dot1x to re-authenticate ethernet 1/eXX

  • Need help to reset/compensation port security on a PowerConnect 35XX

    I implement port security on our network, and I've never worked with these before switches. I'm used to the Cisco CLI, who was the command exec "int sticky clear dry port", but it doesn't seem to be anything of the sort on the CLI of Dell.

    Here is the config, I have in place on the switchport in question.

    dot1x multiple-host

    safe standing of port security mode

    port security throw

    For the moment, that the port has done what is supposed to to, but remove the configuration of the interface completely that I am unable to find how the CLI reference or online at how 'quickly' to reset the port.

    Any help would be appreciated.

    Do not take into account. I found buried in the CLI reference command.

    There are actually two commands necessary to reactivate the interface

    "dot1x to re-authenticate ethernet [port]".

    'set interface active ethernet [port] ".

    Thank you

  • Port for a port security

    Hello everyone.

    IM building a setup where I have a C2960 switch connected to a Cisco AP-1142.

    The switching point and access will be 2 VLANS, one for professional use and the other for guests (internet only).

    So between the switch and the AP I intend to have a trunk dot1q.

    IM afraid that someone who is connected to the guest network (which has a password that anyone can get at the reception) can execute an attack by cam overflow that will overload the switch.

    What feature suggests you that this would prevent?

    Port security will allow you to limit the number of MAC addresses learned on the switchport but it is difficult to implement for a port Access Point because its going to have a lot of MAC address according to the amount of Wifi users.

    How much you expect to connect about?

    You can activate the security of the port and fixed the limit to something like 25 or 50 and combine this with a time of aging then the removed switch learned MAC addresses once they became inactive for X number of seconds.

  • With the help of port security with Failover PIX

    Hello

    I want to configure port security on a switch in which a pair of PIX failover are configured. However, after

    http://www.Cisco.com/univercd/CC/TD/doc/product/LAN/cat6000/12_1e/swconfig/port_sec.htm

    It seems that this is not possible due to the PIX swapping MAC addresses: "If a workstation with a secure MAC which is configured or learned about a secure port address tries to access another secure port, a violation is marked."

    Does anyone know of a way around this?

    Many thanks in advance,

    Matt

    Hello Matt,

    Unfortunately it not there no work around to your problem.

    Thank you

    Renault

  • OfficeJet Pro 8610: Get the Permission of HPeprint or security problem error

    I used printing wireless for several months successfully to print from my work computer, but am now able to print to the e-mail address provided.

    The error reads 'your message was not delivered because of a permission or a security problem.  It may have been rejected by a moderatory, the address can only accept email from certain senders, or another restriction to prevent any delivery.

    The Organization rejected your message: hpeprint.com. »

    I've reconfigured my printer to my router.  Any suggestions?

    Hey @LoreeW,

    Welcome to the Forum from HP Support. I hope you enjoy your experience here.

    I understand that you have a few problems with ePrint using your HP Officejet Pro 8610 e-all-in-one printer.  I want to help you with this.

    I recommend that you first check your printer to verify its intact ePrint connection:

    • Touch the icon (webservices)
    • If you see an address @hpeprint.com, I recommend that you try to send a test ePrint from a different email domain than what you use on your work computer.  If it prints correctly, we can rule out your printer as being a factor in this particular issue.  If your printer's Web services is enabled is more, re - enable.  Any problem would occur with this, click here to access another relevant post I created.  Scroll to my suggestion re: setting a manual DNS as this tends to help by allowing the webservices where fail the normal steps.

    If you were able to send your printer work ePrint of any e-mail domain other than the one you use at work, read on.  Click here to see an HP ePrint article that focuses on the various factors that can contribute jobs ePrint not printing not.  Note that some areas of corporate email may become incompatible with ePrint due to the presence of a digital signature in the outgoing message template.  EPrint jobs you send work meet these criteria?

    Please let me know the result of your troubleshooting by responding to this post.  Thanks again for reaching out in the Forums - we are always happy to help you.  If I helped you to solve the problem and that you liked this post, feel free to give me virtual accessories by clicking on the 'Thumbs Up' icon below.

    Have a great day!

  • prolific usb-to-serial com port driver problem. I can't load the driver from propper for her. What should I do?

    prolific usb-to-serial com port driver problem. I can't load the driver appropriate for that. What should I do?

    Hello edmcski,

    This thread has been created in the Feedback forum. the Microsoft moderation team has moved this thread on the forums of hardware and drivers.

  • What should be the port/security settings for Windows Mail with Vista - I think they changed?

    I had to reinstall Vista when my hard drive crashed, and Windows Mail does not work completely correctly. I think remember me an email from Microsoft told me to change the ports/security settings. Could someone tell me what they should be?

    A "error message indicating", what exactly? No error code or the relevant text?
     
    Make sure these settings match exactly.
     
     

    Leave messages on the server and it clutter?
     
     
  • Security problem with hidden extensions checked.

    I said I should uncheck "Hide extensions of the file types that you want to know" in Windows 7, because I could inadvertently download a document with a double extension like 'Memo.txt.vbs. If the extension is hidden, then it would appear like 'Memo.txt. It would be a security problem. Is this true?

    For any question on Windows 7:

    http://social.answers.Microsoft.com/forums/en-us/category/Windows7

    Link above is Windows 7 Forum for questions on Windows 7.

    Windows 7 questions should be directed to / stationed there.

    You are in the Vista Forums.

    See you soon.

    Mick Murphy - Microsoft partner

  • Best calls "Windows Help" Attorney call me to say I have a security problem on my PC and wants that I let him remote connect to solve this problem, it is legitimate?

    The first few times we call I refused to listen to because it sounded wrong, but this time I heard him out and that's what they said. First, he was of the India, I think his accent and he said he was calling to inform me about a security problem with my PC, it is said to "Best Windows Help" and that my network was showing at its end with a red light indicating a problem. He had opened the Run command and type of command bar to display the observer of events and go to the newspapers of Win and click Applications, then he wanted me to scroll the Application events and see how many errors was there. Between 20 and 50 I said, he said oh yes you have a problem and that he could fix in a few minutes, then it puts me in a collaborator of his that says display the control bar run then type "Iexplore www.support.me" which led me to a "Logmein Rescue page to https://secure.logmeinrescue.com/Customer/Code.aspx. At this point, that he asked me to give him full access to my PC in which I said, "you're crazy, no way" and he said OK then your PC will freeze and crash and I said a few words very friendly back and hung up. They seem to call every month or two and it looks like the same guy. Is it a Con? Who is this company "best Windows Help and how are they finding me? They say the information they hold comes from Microsoft. My caller ID lists like V052409070106, phone # (202) 011 - 3341. What is everything. Also, my PC is not crash or freeze because I installed it 2 years ago. I am running Win 7 Pro with Microsoft Security Essentials and windows Firewall behind a Cisco router.

    Scam.  They said that my computer was downloading malicious code and therefore transmit signals the error on their server.

    They have a Web site, as afar as I can tell.  I asked the guy at the phone for his site.  He couldn't give me a Web site URL or couldn't pronounce correctly.  He was frustrated and hung up.  Scam.

  • Port security and DHCP

    Hi all.

    I have configured the port security in some ports, and I don't think it handles images as it should. the following settings are

    -max: adds the correct number of MAC

    -permanent safe mode

    -throw

    I connect the legitimate devices to determine the maximum number of MACs, the port must learn and then I connect a device with Mac unsafe. I can get an IP address from the DHCP server, but no traffic is being so forward. I think that no legitimate unit should not be able to get an IP address as port security ignores all frames with an unknown source Mac

    Hi Stelios,

    Your configuration seems to be fine. Mine was connected only with the safety of ports and addresses max I put at 1. I see only 1 MAC address sends bootp all other devices connect via the switch on this port send no bootp.

    You could also make the capture of packets using the capabilities mirror port switch and application of wireshark. Devices are perhaps using old known IP addresses...

    Kind regards

    Aleksandra

Maybe you are looking for

  • Firefox 4 won't let me disable the yslow plugin.

    After update for firefox 4, I noticed that yslow was out of a number of errors related to javascript. So, I tried to disable it, but failed. In my addons screen it says "YSlow has been remove...". Restart now... ", but no matter how many times I rest

  • Base system device driver

    Hello IM here because I need help with basic system designs drivers. Recently I reinstalled windows 8.1 on 4540 probook s (Serial: [Personal information deleted], product: C4Y85EA #BED). And I have two missing pilots of the 'base system device ': PCI

  • Recall of NewMenuItem() events data

    Hello I can't pass a string to the callback by using NewMenuItem(); I am able to receive the 'Menu Item Id' correctly in the callback function, but 'event reminder data' is not correctly passed to the callback function. I would like to pass a string

  • Download the latest security updates. now my Avast antivirus program seems to be disabled. now what?

    security updates installed today: KB2820917, KB2813170, KB2813345, KB2817183 and KB890830

  • Problem with WRT 300N (V2) wireless settings

    Greetings, I just managed to reset the WRT 300N to default settings and have configured the connection internet etc and the network... BUT no matter how I fiddled with the wireless settings, I can not laptops or mobile phones to connect wirelessly to