- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 12:46 AM - edited 03-02-2019 07:17 PM
Hi there,
I'm attempting to configure port security on 2950 with following commands:
switchport port-security
switchport port-security violation shutdown
switchport port-security aging time 1440
switchport port-security aging type inactivity
Expected behaviour is that I can plug in a node and its MAC address will be learned. If I then unplug the node the MAC address will be aged out in 24 hours. If I plug in a different node within 24 hours the port will be shut down.
The configuration is not working in accordance with the expectation above. If I run the command ``show port-security addresses'' whilst node one is plugged in it will show that node's MAC address, but as soon as the node is unplugged ``show port-security addresses'' shows no MAC address against the port, allowing another node to be plugged in without shutting the port down.
Given that I want to shut the port down if a ``rogue'' device is plugged into it, what am I doing wrong. NB. The requirement is for the first MAC address to be learned, and aged out after 24 hours inactivity.
Solved! Go to Solution.
- Labels:
-
Other Networking
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2004 11:15 PM
Hi,
The switch does not support port security aging of sticky secure MAC addresses. please refer to the following url below.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12113ea1/2950scg/swtrafc.htm
Regards,
nikhil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 01:16 AM
Hi,
You need to add the command :
Switch(config-if)# switchport port-security mac-address sticky
Also, instead of applying aging type as "inactivity", set it to "absolute".
This is what they mean :
Absolute—The secure addresses on the port are deleted after the specified aging time.
•Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
For more info on poer security :
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1038552
regards
aashish C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 01:38 AM
This hasn't worked for me previously, but I'm trying it again anyway...
I have turned on ``switchport port-security mac-address sticky'', set my aging type to absolute and set my aging time to 1 minute... The sticky MAC address is still shown against the port after more than 5 minutes...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 01:57 AM
hi,
In port security if you want that the port should learn the address dynamically then as soon as you unplug that device from the port the mac address will be removed and you can plug any other device and it would work.
But if you want that the dynamicaly learned mac address should remain after the device has been unplugged from the port then you have enable the "sticky" command which will bind that mac address to that port even after the device removed. If you save these sticky mac addresses then the next time when the switch is rebooted the ports doesnt need to relearn these addresses.
hope this helps
regards
nikhil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2004 04:16 AM
I have sticky addresses working, and I'm not too concerned about them being persistent after a reboot - I'm more interested in them aging.
So I want unplugging node one and replugging node one to work, and unplugging node one and plugging in node _two_ to shutdown the port.
I also want to be able to unplug node one, leave the port unused for one day and then plug in node two and have that work without administrator intervention...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2004 05:22 PM
Perhaps you would also want to configure this:
switchport port-security max-mac-count 1 in addition to the 'sticky' command.
Therefore, the first node that you plug in will be learned. The port, upon detecting another MAC of the second node will shut down the port, since only one MAC can be learned by the port which was the first node. The port will then be in err-disable state.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2004 11:49 PM
I believe this is actually the default - not sure - my biggest problem currently is that the sticky MAC address isn't being aged out...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2004 11:15 PM
Hi,
The switch does not support port security aging of sticky secure MAC addresses. please refer to the following url below.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12113ea1/2950scg/swtrafc.htm
Regards,
nikhil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2004 12:01 AM
This seems fairly definitive!
Thanks for the reply...
