Questions

Is it possible to have a neutral switch with Cisco port security enabled?

Tags:
+
0 Votes
Locked

Is it possible to have a neutral switch with Cisco port security enabled?

eezeekial
I have a Cisco question that I have been wondering for a couple months now. We have port security at work allowing only 2 macs per port, usually the Cisco phone and the pc. I have a Cisco switch in my work area that I use to work on pcs. If I bring a pc into my room from another persons office port that the mac was 'stickied' to and plug it into my switch, I cant get out on the network. I was wondering if it was possible to program the switch in my room to be neutral so that I wouldnt have to contact our Cisco guy to release the macs from their original port everytime I wanted to plug them into my switch. He told me that he doesnt know of a way to do that and that its probably not possible. Im hoping he is not right and there is a way to do this- thanks in advance.
  • +
    0 Votes
    Apoorv182

    I understand your question you're telling that: Is it possible to attach a pc from other persons office to your own room and then connect it to the switch port which has port security for allowing only 2 macs per port. If this is your question then yes it can be possible.
    First attach your pc to the console port of your switch through the console cable for configuration.
    Here is an example of Cisco 2950T-24 switch. This can help you:
    1. To apply port security:
    Switch>en
    Switch#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Switch(config)#int range fastEthernet 0/1-24
    Switch(config-if-range)#switchport port-security ?
    mac-address Secure mac address
    maximum Max secure addresses
    violation Security violation mode
    <cr>
    Switch(config-if-range)#switchport port-security maximum 2
    Switch(config-if-range)#switchport port-security mac-address sticky
    Switch(config-if-range)#switchport port-security violation ?
    protect Security violation protect mode
    restrict Security violation restrict mode
    shutdown Security violation shutdown mode
    Switch(config-if-range)#switchport port-security violation shutdown
    Switch(config-if-range)#^Z
    Switch#
    %SYS-5-CONFIG_I: Configured from console by console

    Switch#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    2. Checking the security:
    Switch#show running-config
    Building configuration...

    Current configuration : 2977 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    !
    interface FastEthernet0/1
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/2
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/3
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/4
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/5
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/6
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/7
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/8
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/9
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/10
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/11
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/12
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/13
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/14
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/15
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/16
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/17
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/18
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/19
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/20
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/21
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/22
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/23
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/24
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    End
    3. Removing the port security:
    Switch(config-if-range)#no switchport port-security maximum 2
    Switch(config-if-range)#no switchport port-security mac-address sticky
    Switch(config-if-range)#no switchport port-security violation ?
    <cr>
    Switch(config-if-range)#no switchport port-security violation
    Switch(config-if-range)#^Z
    Switch#
    %SYS-5-CONFIG_I: Configured from console by console

    4. Checking the security:
    Switch#show running-config
    Building configuration...

    Current configuration : 1009 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    end
    Switch#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    Switch#

    +
    0 Votes
    eezeekial

    Thank you for the quick response! He told me that there is no port security on the switch in my office and proceded to send me this.

    interface FastEthernet0/1

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/2

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/3

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/4

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/5

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/6

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/7

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/8

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/9

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/10

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/11

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/12

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/13

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/14

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/15

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/16

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/17

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/18

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/19

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/20

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/21

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/22

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/23

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/24

    switchport mode trunk

    The switch in my office is seeing that the mac is locked down on another port on a different switch that is secured.

    +
    0 Votes
    CG IT

    any mac address that connects that is not allowed on the port, triggers the security configured on the port. Can be "protect" or shutdown. Protect simply drops the packets but does not administratively shutdown the port. Shutdown shuts down the port and must be administratively enabled [no shut].

    There's no workaround if this security is enabled. Have to disable the port security mac address stickly shutdown.

    +
    0 Votes
    eezeekial

    Right, I understand that. Since there is no port security on the switch in my office that I am plugging these pc's into, is there a workaround? Or does port security have to be disabled on the entire network?

    +
    0 Votes
    CG IT

    that connects the unmanaged to managed.

    The admin can still restrict traffic by making that switchport a member of it's own vlan then deny that vlan access to the trunk line out.

    another way around triggering a secuirty violation is to not have the unmanaged connect to the managed. to do that, you stick in a router, but that will trigger a violation unless you clone a mac address that's in the allowed list on the managed switch as the routers mac address. I've found routers in the drop ceiling for this. Some tech savy people clone consumer level routers with their mac address then stick their personal computers on the network. Needless to say they don't work at the company anymore.

    +
    0 Votes
    danielm86

    Just connect to the switch via console and add a 3rd sticky MAC address to the configuration (the 3rd one that comes and goes always, cuz usually on switches with security enable theres only 2 ports that only have the full access.

    Something like this

    Switch(config-if-range)#switchport port-security maximum 3
    Switch(config-if-range)#switchport port-security mac-address sticky

    +
    0 Votes
    paul

    First, do you have any access to the config on the uplink switch? If so, you may simply configure to clear MACs upon their associated device's removal from another location. Additionally, configure the uplink switch to allow 3072 (*the maximum) MACs through the MAC of your office switch. This would fix your situation unless you are dealing with more than 3072 devices. Lastly, configure Port Security Aging... this will help to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a given port.

    If you need some specific code, hit me back.

    +
    0 Votes
    paul

    Port Transitions to Err-Disable State Due to Port Security Violations
    A port security violation occurs when an address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
    SW1-3750#
    1d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/22,
    putting Gi2/0/22 in err-disable state
    1d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
    caused by MAC address 0009.434b.c48c on port GigabitEthernet2/0/22.
    1d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/22,
    changed state to down
    1d01h: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/22,
    changed state to down SW1-3750#
    If you must move from one secure interface to another interface, complete these steps:
    1. Use dynamic learning for port security, and remove any static MAC address list or sticky learning configuration.
    2. SW1-3750(config-if)#no switchport port-security mac-address sticky
    3. SW1-3750(config-if)#no switchport port-security mac-address H.H.H
    4.
    5.
    6. !--- H.H.H is the 48 bit MAC addresses configured
    7.
    8. Configure port security aging.
    The aging time determines the minimum time interval required before the MAC address may appear on a different port.
    SW1-3750(config-if)#switchport port-security aging time 1

    SW1-3750(config-if)#switchport port-security aging type inactivity
    The aging type inactivity ages out the secure addresses on this port only if there is no data traffic from the secure source addresses for the specified time period.
    9. Configure err-disable state recovery from port security violation.
    10. SW1-3750(config)#errdisable recovery cause psecure-violation
    For more information, refer to the Configuring Port Security section of Configuring Port-Based Traffic Control.

    +
    0 Votes
    CG IT

    any mac address that connects that is not allowed on the port, triggers the security configured on the port. Can be "protect" or shutdown. Protect simply drops the packets but does not administratively shutdown the port. Shutdown shuts down the port and must be administratively enabled [no shut].

    There's no workaround if this security is enabled. Have to disable the port security mac address stickly shutdown.

    +
    0 Votes
    CG IT

    that connects the unmanaged to managed.

    The admin can still restrict traffic by making that switchport a member of it's own vlan then deny that vlan access to the trunk line out.

    another way around triggering a secuirty violation is to not have the unmanaged connect to the managed. to do that, you stick in a router, but that will trigger a violation unless you clone a mac address that's in the allowed list on the managed switch as the routers mac address. I've found routers in the drop ceiling for this. Some tech savy people clone consumer level routers with their mac address then stick their personal computers on the network. Needless to say they don't work at the company anymore.

    +
    0 Votes
    danielm86

    Just connect to the switch via console and add a 3rd sticky MAC address to the configuration (the 3rd one that comes and goes always, cuz usually on switches with security enable theres only 2 ports that only have the full access.

    Something like this

    Switch(config-if-range)#switchport port-security maximum 3
    Switch(config-if-range)#switchport port-security mac-address sticky

    +
    0 Votes
    paul

    First, do you have any access to the config on the uplink switch? If so, you may simply configure to clear MACs upon their associated device's removal from another location. Additionally, configure the uplink switch to allow 3072 (*the maximum) MACs through the MAC of your office switch. This would fix your situation unless you are dealing with more than 3072 devices. Lastly, configure Port Security Aging... this will help to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a given port.

    If you need some specific code, hit me back.

    +
    0 Votes
    paul

    Port Transitions to Err-Disable State Due to Port Security Violations
    A port security violation occurs when an address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
    SW1-3750#
    1d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/22,
    putting Gi2/0/22 in err-disable state
    1d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
    caused by MAC address 0009.434b.c48c on port GigabitEthernet2/0/22.
    1d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/22,
    changed state to down
    1d01h: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/22,
    changed state to down SW1-3750#
    If you must move from one secure interface to another interface, complete these steps:
    1. Use dynamic learning for port security, and remove any static MAC address list or sticky learning configuration.
    2. SW1-3750(config-if)#no switchport port-security mac-address sticky
    3. SW1-3750(config-if)#no switchport port-security mac-address H.H.H
    4.
    5.
    6. !--- H.H.H is the 48 bit MAC addresses configured
    7.
    8. Configure port security aging.
    The aging time determines the minimum time interval required before the MAC address may appear on a different port.
    SW1-3750(config-if)#switchport port-security aging time 1

    SW1-3750(config-if)#switchport port-security aging type inactivity
    The aging type inactivity ages out the secure addresses on this port only if there is no data traffic from the secure source addresses for the specified time period.
    9. Configure err-disable state recovery from port security violation.
    10. SW1-3750(config)#errdisable recovery cause psecure-violation
    For more information, refer to the Configuring Port Security section of Configuring Port-Based Traffic Control.

  • +
    0 Votes
    Apoorv182

    I understand your question you're telling that: Is it possible to attach a pc from other persons office to your own room and then connect it to the switch port which has port security for allowing only 2 macs per port. If this is your question then yes it can be possible.
    First attach your pc to the console port of your switch through the console cable for configuration.
    Here is an example of Cisco 2950T-24 switch. This can help you:
    1. To apply port security:
    Switch>en
    Switch#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Switch(config)#int range fastEthernet 0/1-24
    Switch(config-if-range)#switchport port-security ?
    mac-address Secure mac address
    maximum Max secure addresses
    violation Security violation mode
    <cr>
    Switch(config-if-range)#switchport port-security maximum 2
    Switch(config-if-range)#switchport port-security mac-address sticky
    Switch(config-if-range)#switchport port-security violation ?
    protect Security violation protect mode
    restrict Security violation restrict mode
    shutdown Security violation shutdown mode
    Switch(config-if-range)#switchport port-security violation shutdown
    Switch(config-if-range)#^Z
    Switch#
    %SYS-5-CONFIG_I: Configured from console by console

    Switch#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    2. Checking the security:
    Switch#show running-config
    Building configuration...

    Current configuration : 2977 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    !
    interface FastEthernet0/1
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/2
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/3
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/4
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/5
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/6
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/7
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/8
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/9
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/10
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/11
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/12
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/13
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/14
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/15
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/16
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/17
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/18
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/19
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/20
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/21
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/22
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/23
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface FastEthernet0/24
    switchport port-security maximum 2
    switchport port-security mac-address sticky
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    End
    3. Removing the port security:
    Switch(config-if-range)#no switchport port-security maximum 2
    Switch(config-if-range)#no switchport port-security mac-address sticky
    Switch(config-if-range)#no switchport port-security violation ?
    <cr>
    Switch(config-if-range)#no switchport port-security violation
    Switch(config-if-range)#^Z
    Switch#
    %SYS-5-CONFIG_I: Configured from console by console

    4. Checking the security:
    Switch#show running-config
    Building configuration...

    Current configuration : 1009 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    !
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface Vlan1
    no ip address
    shutdown
    !
    !
    line con 0
    !
    line vty 0 4
    login
    line vty 5 15
    login
    !
    !
    end
    Switch#copy running-config startup-config
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    Switch#

    +
    0 Votes
    eezeekial

    Thank you for the quick response! He told me that there is no port security on the switch in my office and proceded to send me this.

    interface FastEthernet0/1

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/2

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/3

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/4

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/5

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/6

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/7

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/8

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/9

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/10

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/11

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/12

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/13

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/14

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/15

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/16

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/17

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/18

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/19

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/20

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/21

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 103

    spanning-tree portfast

    !

    interface FastEthernet0/22

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/23

    switchport access vlan 3

    switchport mode access

    switchport voice vlan 2

    spanning-tree portfast

    !

    interface FastEthernet0/24

    switchport mode trunk

    The switch in my office is seeing that the mac is locked down on another port on a different switch that is secured.

    +
    0 Votes
    CG IT

    any mac address that connects that is not allowed on the port, triggers the security configured on the port. Can be "protect" or shutdown. Protect simply drops the packets but does not administratively shutdown the port. Shutdown shuts down the port and must be administratively enabled [no shut].

    There's no workaround if this security is enabled. Have to disable the port security mac address stickly shutdown.

    +
    0 Votes
    eezeekial

    Right, I understand that. Since there is no port security on the switch in my office that I am plugging these pc's into, is there a workaround? Or does port security have to be disabled on the entire network?

    +
    0 Votes
    CG IT

    that connects the unmanaged to managed.

    The admin can still restrict traffic by making that switchport a member of it's own vlan then deny that vlan access to the trunk line out.

    another way around triggering a secuirty violation is to not have the unmanaged connect to the managed. to do that, you stick in a router, but that will trigger a violation unless you clone a mac address that's in the allowed list on the managed switch as the routers mac address. I've found routers in the drop ceiling for this. Some tech savy people clone consumer level routers with their mac address then stick their personal computers on the network. Needless to say they don't work at the company anymore.

    +
    0 Votes
    danielm86

    Just connect to the switch via console and add a 3rd sticky MAC address to the configuration (the 3rd one that comes and goes always, cuz usually on switches with security enable theres only 2 ports that only have the full access.

    Something like this

    Switch(config-if-range)#switchport port-security maximum 3
    Switch(config-if-range)#switchport port-security mac-address sticky

    +
    0 Votes
    paul

    First, do you have any access to the config on the uplink switch? If so, you may simply configure to clear MACs upon their associated device's removal from another location. Additionally, configure the uplink switch to allow 3072 (*the maximum) MACs through the MAC of your office switch. This would fix your situation unless you are dealing with more than 3072 devices. Lastly, configure Port Security Aging... this will help to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a given port.

    If you need some specific code, hit me back.

    +
    0 Votes
    paul

    Port Transitions to Err-Disable State Due to Port Security Violations
    A port security violation occurs when an address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
    SW1-3750#
    1d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/22,
    putting Gi2/0/22 in err-disable state
    1d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
    caused by MAC address 0009.434b.c48c on port GigabitEthernet2/0/22.
    1d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/22,
    changed state to down
    1d01h: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/22,
    changed state to down SW1-3750#
    If you must move from one secure interface to another interface, complete these steps:
    1. Use dynamic learning for port security, and remove any static MAC address list or sticky learning configuration.
    2. SW1-3750(config-if)#no switchport port-security mac-address sticky
    3. SW1-3750(config-if)#no switchport port-security mac-address H.H.H
    4.
    5.
    6. !--- H.H.H is the 48 bit MAC addresses configured
    7.
    8. Configure port security aging.
    The aging time determines the minimum time interval required before the MAC address may appear on a different port.
    SW1-3750(config-if)#switchport port-security aging time 1

    SW1-3750(config-if)#switchport port-security aging type inactivity
    The aging type inactivity ages out the secure addresses on this port only if there is no data traffic from the secure source addresses for the specified time period.
    9. Configure err-disable state recovery from port security violation.
    10. SW1-3750(config)#errdisable recovery cause psecure-violation
    For more information, refer to the Configuring Port Security section of Configuring Port-Based Traffic Control.

    +
    0 Votes
    CG IT

    any mac address that connects that is not allowed on the port, triggers the security configured on the port. Can be "protect" or shutdown. Protect simply drops the packets but does not administratively shutdown the port. Shutdown shuts down the port and must be administratively enabled [no shut].

    There's no workaround if this security is enabled. Have to disable the port security mac address stickly shutdown.

    +
    0 Votes
    CG IT

    that connects the unmanaged to managed.

    The admin can still restrict traffic by making that switchport a member of it's own vlan then deny that vlan access to the trunk line out.

    another way around triggering a secuirty violation is to not have the unmanaged connect to the managed. to do that, you stick in a router, but that will trigger a violation unless you clone a mac address that's in the allowed list on the managed switch as the routers mac address. I've found routers in the drop ceiling for this. Some tech savy people clone consumer level routers with their mac address then stick their personal computers on the network. Needless to say they don't work at the company anymore.

    +
    0 Votes
    danielm86

    Just connect to the switch via console and add a 3rd sticky MAC address to the configuration (the 3rd one that comes and goes always, cuz usually on switches with security enable theres only 2 ports that only have the full access.

    Something like this

    Switch(config-if-range)#switchport port-security maximum 3
    Switch(config-if-range)#switchport port-security mac-address sticky

    +
    0 Votes
    paul

    First, do you have any access to the config on the uplink switch? If so, you may simply configure to clear MACs upon their associated device's removal from another location. Additionally, configure the uplink switch to allow 3072 (*the maximum) MACs through the MAC of your office switch. This would fix your situation unless you are dealing with more than 3072 devices. Lastly, configure Port Security Aging... this will help to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a given port.

    If you need some specific code, hit me back.

    +
    0 Votes
    paul

    Port Transitions to Err-Disable State Due to Port Security Violations
    A port security violation occurs when an address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
    SW1-3750#
    1d01h: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/22,
    putting Gi2/0/22 in err-disable state
    1d01h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,
    caused by MAC address 0009.434b.c48c on port GigabitEthernet2/0/22.
    1d01h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/22,
    changed state to down
    1d01h: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/22,
    changed state to down SW1-3750#
    If you must move from one secure interface to another interface, complete these steps:
    1. Use dynamic learning for port security, and remove any static MAC address list or sticky learning configuration.
    2. SW1-3750(config-if)#no switchport port-security mac-address sticky
    3. SW1-3750(config-if)#no switchport port-security mac-address H.H.H
    4.
    5.
    6. !--- H.H.H is the 48 bit MAC addresses configured
    7.
    8. Configure port security aging.
    The aging time determines the minimum time interval required before the MAC address may appear on a different port.
    SW1-3750(config-if)#switchport port-security aging time 1

    SW1-3750(config-if)#switchport port-security aging type inactivity
    The aging type inactivity ages out the secure addresses on this port only if there is no data traffic from the secure source addresses for the specified time period.
    9. Configure err-disable state recovery from port security violation.
    10. SW1-3750(config)#errdisable recovery cause psecure-violation
    For more information, refer to the Configuring Port Security section of Configuring Port-Based Traffic Control.