Troubleshoot Port Security
Exam: Cisco 642-832 - Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v1.0)
Port security is used for layer 2 security. It restricts the specific mac address(es ) that are allowed on a particular switch port. It can also restrict the maximum number of mac addresses allowed on a switch port.
The most important command for troubleshooting port security is "show port security interface [Int number]". The output of the command looks like the following:
Port Security | : Enabled |
Port Status | : Secure-up |
Violation Mode | : Restrict |
Aging Time | : 0 mins |
Aging Type | : Absolute |
SecureStatic Address Aging | : Disabled |
Maximum MAC Addresses | : 1 |
Total MAC Addresses | : 1 |
Configured MAC Addresses | : 0 |
Sticky MAC Addresses | : 1 |
Last Source Address:Vlan | : 001b.d41b.a4d8:10 |
Security Violation Count | : 0 |
- If a port security violation is present on a port, you will see the "Port Status" as "Secure-Down". In this situation, note the "Last Source Address" field. Make sure that this mac address is the same allowed on the port.
- The "Total Mac Addresses" field indicates the maximum number of mac addreses allowed on a port. If a switch port is being used to connect multiple devices, then make sure that maximum addresses allowed on the port are adjusted accordingly.
- If the "auto recovery" feature is not enabled and port security violation occurs, the port is disabled and put into "err-disabled" state. After fixing the port security, the port must be "shutdown" and "no shutdown" in order to release the err-disabled state. The alternative is to enable auto recover using "errdisable recovery cause psecure-violation" command. This will try to enable the port after a specific time period.
- Note that port security actually stores a static mac entry in the address table. A tricky situation can occur if you move one PC from a secured port to another port on the same switch. In that case, the new port will always complain of port security since a single mac address is allowed to be learned from only one port of a switch, so switch will always trigger port violation when the PCs mac is learned on the new port. In order to fix this problem, make sure that you remove the port security commands from the old switchport.
Related IT Guides
- Troubleshoot Access-ports for VLAN Based Solution
- Troubleshoot configuration issues related to accessing AAA server for authentication purposes
- Troubleshoot EIGRP
- Troubleshoot first hop redundancy protocols
- Troubleshoot Loop Prevention for VLAN Based Solution
- Troubleshoot Routing Redistribution
- Troubleshoot Switch Virtual Interfaces (SVI)