Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Monday, December 26, 2011

port-sex violation...

port security can be a little funky...  when a port is put into errdisabled state due to a violation and the condition is set for shut down, the port will remain in shut down...  no shut does not bring it back...

sw2950_02(config)#sw port-sex
                                              ^
% Invalid input detected at '^' marker.
sw2950_02(config)#
sw2950_02(config-if)#sw port-sec
sw2950_02(config-if)#sw port-sec mac-add aaaa.bbbb.cccc
sw2950_02(config-if)#sw port-sec vio shut
sw2950_02(config-if)#end

so i linked a cable to it that was obviously not mac address aaaa.bbbb.cccc

sw2950_02#sh port-sec
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/8              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024



sw2950_02#sh port-sec int fa0/8
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address        : 0000.0000.0000
Security Violation Count   : 0

sw2950_02#sh int fa0/8
FastEthernet0/8 is down, line protocol is down (err-disabled)  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255

then i tried no shut...

sw2950_02(config-if)#no shit
                                        ^
% Invalid input detected at '^' marker.
sw2950_02(config-if)#no shut
sw2950_02(config-if)#do sh int fa0/8
FastEthernet0/8 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255

that won't get it...

sw2950_02(config)#errd recover cause security-violation
sw2950_02(config)#errd recover interval 30
sw2950_02(config)#end

you have to wait for the recovery interval to expire after setting it lower...
then...

sw2950_02#
3d10h: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disab
le state on Fa0/8

sw2950_02#sh int fa0/8
FastEthernet0/8 is down, line protocol is down (notconnect)

  Hardware is Fast Ethernet, address is 0009.b73f.ce88 (bia 0009.b73f.ce88)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

it's no longer error disabled, and once again usable after removing the security... port security, yuck... lock up your switches...


in interface configuration mode typing shut, then no shut will also bring the errdisabled port back... go figure that one...

No comments:

Post a Comment