I have noticed something strange when I configure port-security on my "SWITCH1". When I configure a sticky mac address everything seems to work as it should, i.e. when I plug another device into the port I cannot get a connection, but when I do a show port-security for the interface it says "Port status : SecureUp" and no violation count increment. Also when I unplug a cable I still see "Port status : SecureUp" which is contrary to what I see on my other switch & I would expect. One thing I have noticed is that it seems I deleted the entire contents of the MAC address table at some point as I am seeing no CPU entries, whereas on my other identical switch (2950) I see the below listed in the MAC table (See both SWITCH1 & SWITCH2), could this be causing the problem & if so how do I get them back? Also out of curiosity what are they used for?
I have tried to enter the values manually but IOS doesn't allow it, I have also wiped the switch & copied over a backed up startup-config & vlan.dat but the MAC entries are still missing. Maybe this is not the cause of the port-security problem so any suggestions on both problems would be appreciated.
TIA, Jason
SWITCH1#show mac-address-table Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- ----- 1 0004.274c.9ca0 DYNAMIC Fa0/1 1 0040.63d8.ba0a STATIC Fa0/12 1 0040.63d8.bab8 DYNAMIC Fa0/4 10 0004.274c.9ca0 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 4
SWITCH2#show mac-address-table Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- ----- All 000d.28f3.1680 STATIC CPU All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0cdd.dddd STATIC CPU 1 0004.274c.9ca0 DYNAMIC Fa0/1 1 000a.f4cb.dcc2 DYNAMIC Fa0/1 1 0040.63d8.ba0a STATIC Fa0/11 1 0040.63d8.bab8 DYNAMIC Fa0/1 2 000a.f4cb.dcc2 DYNAMIC Fa0/1 3 000a.f4cb.dcc2 DYNAMIC Fa0/1 10 000a.f4cb.dcc2 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 11
SWITCH1#show version Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Wed 28-Aug-02 10:25 by antonino Image text-base: 0x80010000, data-base: 0x80528000
ROM: Bootstrap program is CALHOUN boot loader
SWITCH1 uptime is 18 minutes System returned to ROM by power-on System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin"
cisco WS-C2950-12 (RC32300) processor (revision G0) with 20402K bytes of memory. Processor board ID FOC0638Y10G Last reset from system-reset Running Standard Image
12 FastEthernet/IEEE 802.3 interface(s)32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:0A:F4:CB:DC:C0 Motherboard assembly number: 73-5782-11 Power supply part number: 34-0965-01 Motherboard serial number: FOC06380C9A Power supply serial number: PHI06350618 Model revision number: G0 Motherboard revision number: A0 Model number: WS-C2950-12 System serial number: FOC0638Y10G Configuration register is 0xF
hostname SWITCH1 ! enable secret 5 enable password 7 ! username Jason password 7 clock timezone GMT 0 ip subnet-zero no ip domain-lookup ip host groucho 192.168.1.100 ! spanning-tree extend system-id ! ! interface FastEthernet0/1 description LINK TO GROUCHO switchport mode trunk no ip address duplex full speed 10 ! interface FastEthernet0/2 description LINK TO SWITCH2 switchport mode trunk no ip address ! interface FastEthernet0/3 description LINK TO SWITCH2 switchport mode trunk no ip address ! interface FastEthernet0/4 description LINK TO MY PC switchport mode access no ip address ! interface FastEthernet0/5 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/6 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/7 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/8 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/9 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/10 switchport access vlan 10 switchport mode access no ip address ! interface FastEthernet0/11 switchport mode access no ip address ! interface FastEthernet0/12 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0040.63d8.ba0a no ip address ! interface Vlan1 ip address 192.168.1.2 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.1.100 ip http server ! ! line con 0 exec-timeout 0 0 login local line vty 0 4 exec-timeout 0 0 password 7 login local line vty 5 15 exec-timeout 0 0 password 7 login local ! end
SWITCH1#show mac SWITCH1#show mac- SWITCH1#show mac-address-table Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- ----- 1 0004.274c.9ca0 DYNAMIC Fa0/1 1 0040.63d8.ba0a STATIC Fa0/12 1 0040.63d8.bab8 DYNAMIC Fa0/4 10 0004.274c.9ca0 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 4 SWITCH1#show port SWITCH1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)
------------------------------------------------------------------------
------- Fa0/12 1 1 0 Shutdown
------------------------------------------------------------------------
------- Total Addresses in System : 1 Max Addresses limit in System : 1024
SWITCH1#show port SWITCH1#show port-security interf SWITCH1#show port-security interface fa0/12 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0