Troubleshooting
Port Security
Verifying Port Security
Verify Port Security configuration
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/5 1 0 0 Shutdown
Fa0/6 1 0 0 Shutdown
Fa0/7 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 4096
S1#
Port Security Diagnosis
Show current Port Security settings for a particular Switch Port.
S1# show port-security interface f0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0 S1#
Port Security Binding Diagnosis
Show current Port Security Address Bindings for a particular Switch Port.
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 aaaa.cafe.1832 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
S1#
Learned MAC Addresses verification
Verifying that MAC addresses are “sticking” to the config
S1# show run | begin interface FastEthernet0/5 interface FastEthernet0/5 switchport mode access switchport port-security maximum 10 switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0022.42b4.3e12 (output omitted) S1#
DHCP Snooping
Verifying DHCP Snooping
Verifying DHCP Snooping
S1# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 3,5-9 Insertion of option 82 is enabled Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) ----------------------- ------- ---------------- FastEthernet0/1 yes unlimited FastEthernet0/2 yes unlimited FastEthernet0/3 no 1 FastEthernet0/4 no 1 (output ommited) FastEthernet0/24 no 1 S1#
Verify DHCP Snooping Bindings
Verifying DHCP Snooping Bindings
S1# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:05:32:C3:9F:AD 192.168.1.11 224255 dhcp-snooping 3 FastEthernet0/5
Diagnosing Dynamic ARP Inspection (DAI)
Verifying current DAI status
Validating DAI status
S1(config)# do show run | include validate ip arp inspection validate src-mac dst-mac ip S1(config)#
Diagnosing PortFast
Verifying if PortFast is enabled globally
Verifying if PortFast is enabled globally
S1(config)# show running-config | begin span spanning-tree mode pvst spanning-tree portfast default spanning-tree extend system-id ! interface FastEthernet0/1 switchport mode access spanning-tree portfast ! interface FastEthernet0/2 ! (output omitted) S1#
[NOTE] You can also use the “show spanning-tree summary” command
Verifying if PortFast is on an interface
Verifying if PortFast is enabled on an interface
S1(config)# show spanning-tree interface fastEthernet 0/3 Vlan Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- ----------------------- VLAN0001 Desg FWD 19 128.3 P2p S1#
Diagnosing BPDU Guard
Verifying if BPDU Guard is enabled globally
Verifying if BPDU Guard is enabled globally
S1(config)# show running-config | begin bpdu spanning-tree portfast bpduguard default spanning-tree extend system-id ! interface FastEthernet0/1 ip dhcp snooping trust ! interface FastEthernet0/2 ip dhcp snooping trust ! interface FastEthernet0/3 ip dhcp snooping limit rate 1 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! (output omitted) S1#