Troubleshoot Port Security

Exam: 642-832 - Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v1.0)

Port security is used for layer 2 security. It restricts the specific mac address(es ) that are allowed on a particular switch port. It can also restrict the maximum number of mac addresses allowed on a switch port.

The most important command for troubleshooting port security is "show port security interface [Int number]". The output of the command looks like the following:

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 001b.d41b.a4d8:10
Security Violation Count : 0
  1. If a port security violation is present on a port, you will see the "Port Status" as "Secure-Down". In this situation, note the "Last Source Address" field. Make sure that this mac address is the same allowed on the port.
  2. The "Total Mac Addresses" field indicates the maximum number of mac addreses allowed on a port. If a switch port is being used to connect multiple devices, then make sure that maximum addresses allowed on the port are adjusted accordingly.
  3. If the "auto recovery" feature is not enabled and port security violation occurs, the port is disabled and put into "err-disabled" state. After fixing the port security, the port must be "shutdown" and "no shutdown" in order to release the err-disabled state. The alternative is to enable auto recover using "errdisable recovery cause psecure-violation" command. This will try to enable the port after a specific time period.
  4. Note that port security actually stores a static mac entry in the address table. A tricky situation can occur if you move one PC from a secured port to another port on the same switch. In that case, the new port will always complain of port security since a single mac address is allowed to be learned from only one port of a switch, so switch will always trigger port violation when the PCs mac is learned on the new port. In order to fix this problem, make sure that you remove the port security commands from the old switchport.


October Offer! 30% Discount for All Exams!

This is a ONE TIME OFFER. You will never see this Again

Instant Discount
Test-King Testing Engine

30% OFF

Enter Your Email Address to Receive Your 30% OFF Discount Code Plus... Our Exclusive Weekly Deals

A confirmation link will be sent to this email address to verify your login.

* We value your privacy. We will not rent or sell your email address.


Your 30% Discount on Your Purchase

Save 30%. Today on all IT exams. Instant Download

Test-King Testing Engine

Use the following Discount Code during the checkout and get 30% discount on all your purchases:

Start Shopping