cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1428
Views
0
Helpful
8
Replies

Port Security Loosing Dynamic MAC Addressees When Port Disconnected

ceri.jones
Level 1
Level 1

Hi there,

I'm attempting to configure port security on 2950 with following commands:

switchport port-security

switchport port-security violation shutdown

switchport port-security aging time 1440

switchport port-security aging type inactivity

Expected behaviour is that I can plug in a node and its MAC address will be learned. If I then unplug the node the MAC address will be aged out in 24 hours. If I plug in a different node within 24 hours the port will be shut down.

The configuration is not working in accordance with the expectation above. If I run the command ``show port-security addresses'' whilst node one is plugged in it will show that node's MAC address, but as soon as the node is unplugged ``show port-security addresses'' shows no MAC address against the port, allowing another node to be plugged in without shutting the port down.

Given that I want to shut the port down if a ``rogue'' device is plugged into it, what am I doing wrong. NB. The requirement is for the first MAC address to be learned, and aged out after 24 hours inactivity.

1 Accepted Solution

Accepted Solutions

Hi,

The switch does not support port security aging of sticky secure MAC addresses. please refer to the following url below.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12113ea1/2950scg/swtrafc.htm

Regards,

nikhil

View solution in original post

8 Replies 8

aashish.c
Level 4
Level 4

Hi,

You need to add the command :

Switch(config-if)# switchport port-security mac-address sticky

Also, instead of applying aging type as "inactivity", set it to "absolute".

This is what they mean :

Absolute—The secure addresses on the port are deleted after the specified aging time.

•Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

For more info on poer security :

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1038552

regards

aashish C

This hasn't worked for me previously, but I'm trying it again anyway...

I have turned on ``switchport port-security mac-address sticky'', set my aging type to absolute and set my aging time to 1 minute... The sticky MAC address is still shown against the port after more than 5 minutes...

nikhilgupta
Level 1
Level 1

hi,

In port security if you want that the port should learn the address dynamically then as soon as you unplug that device from the port the mac address will be removed and you can plug any other device and it would work.

But if you want that the dynamicaly learned mac address should remain after the device has been unplugged from the port then you have enable the "sticky" command which will bind that mac address to that port even after the device removed. If you save these sticky mac addresses then the next time when the switch is rebooted the ports doesnt need to relearn these addresses.

hope this helps

regards

nikhil

I have sticky addresses working, and I'm not too concerned about them being persistent after a reboot - I'm more interested in them aging.

So I want unplugging node one and replugging node one to work, and unplugging node one and plugging in node _two_ to shutdown the port.

I also want to be able to unplug node one, leave the port unused for one day and then plug in node two and have that work without administrator intervention...

nsuresh81
Level 1
Level 1

Perhaps you would also want to configure this:

switchport port-security max-mac-count 1 in addition to the 'sticky' command.

Therefore, the first node that you plug in will be learned. The port, upon detecting another MAC of the second node will shut down the port, since only one MAC can be learned by the port which was the first node. The port will then be in err-disable state.

I believe this is actually the default - not sure - my biggest problem currently is that the sticky MAC address isn't being aged out...

Hi,

The switch does not support port security aging of sticky secure MAC addresses. please refer to the following url below.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12113ea1/2950scg/swtrafc.htm

Regards,

nikhil

This seems fairly definitive!

Thanks for the reply...