Port security Issues on 2950

[sk391]

Can someone please help me with this, I am trying to config port security to allow 1 mac address to be used on port 10 of my 2950 switch...... The problem this when I have configured it and confirmed it is configured I plug in another laptop into the same port and the port still works. I will copy the command which I am using below....


MTU 1500 bytes, B



CiscoSwitch1(config-if)#switchport port-security maximum 1
CiscoSwitch1(config-if)#switchport port security vio
CiscoSwitch1(config-if)#switchport port-security vio
CiscoSwitch1(config-if)#switchport port-security violation shutdown
CiscoSwitch1(config-if)#end
CiscoSwitch1#
00:30:26: %SYS-5-CONFIG_I: Configured from console by consolewr
Building configuration...
[OK]
CiscoSwitch1#show mac-address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0014.1c7d.98c0 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 0002.dd7c.b789 STATIC Fa0/10
1 000f.b57f.bca8 DYNAMIC Fa0/6
1 0050.8d52.3c8d DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 7
CiscoSwitch1#

the print shows that fa 0/10 has a static mac address assigned, but it still works if a plig in a different laptop into fa 0/10. the port does now shutdown!!?

please help

 

[sk391]

ok.. an update - I have been doing some reading and it seems that I have missed a command out

after the violation command i should have a

' switchport port-security mac-address 0002.dd7c.b789' command, but when I enter the command I get the following error. Found duplicate mac-address 0002.dd7c.b789.

??

 

[sk391]

i needed to unplug laptop from the port, clear the mac-address-table and then configure port security- manually add the mac address. plud in the 2nd laptop and then the port whent into err-disabled mode.

a shutdown and no shutdown command on the port brings the port back into service when laptop 1 is plugged in.

is there a better way of doing this.. I have read some thing about sticky mac address.

ANyone know about this?

 

[Viconsul]

Hi

The other way to do this, is to let all the dynamically learned mac-addresses be converted to sticky secure mac-addresses. This way you don't have to manually enter the mac-addresses. The following code should do it.

Switch(config)#interface fastethernet 0/10
Switch(config-if)#switchport port-security mac-address sticky

Regards

Viconsul.

 

[Cluebird]

With the 2950 you have to issue the switchport port-security command without any arguments to get the security working. Think of it as "hiring a guard" then telling the guard what to do with other port-security commands:

Switch(config)#int f0/10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#end

The switchport port-security max 1 is a default setting as is switchport port-security violation shutdown.

HTH