cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
7
Replies

Catalyst IOS command to errDisable a port if linkdown?

Preston Kilburn
Level 1
Level 1

We are going over some 802.1x weaknesses.  One of them is that an ATA is MAB'd (Mac Authentication Bypassed).  So with the MAB implemented, it would be pretty easy for someone to come up to the floor switches and plug in with a spoofed ATA MAC address and get access. 

So our currently existing triage for this condition prior to going to ISE (Identity Services Engine) is to do the following:

port security mac-address xxxx.yyyy.zzzz

However, is there a way to drop a port out of service in an err-disable mode if it loses it's link?  Meaning - the ATA's are in a shared common area.  If someone comes up and gets onto an ATA I want the switch to go "Oh, you dropped the link - you're done here".                  

7 Replies 7

Hi,

errdisable detect cause link-flap

Regards,

Smitesh

PS: Please rate helpful posts

Is that a global command or can it be applied to a single gigport? 

Meaning - can one put that on gig1/0/1 and not affect other ports?

Hi,

Global command.

Regards,

Smitesh

If it's a global command is there a way to drop the flap count from 5 (the default) to 1 on an individual port basis?

Hi Preston,

You can have flap value and can specify time as well, Use

errdisable flap-setting cause link-flap max-flaps 2 time 15

Regards,

Smitesh

PS: Please rate helpful posts

OK, so we were able to find the following configuration that I think will work.  The whole end goal is the make it so that:

A: No one can spoof a mac address (at least on that switch)

and

B: The ports for common areas die if they're unplugged.

We've come up with the following:

switchport access vlan xxx

switchport mode access

switchport voice vlan xxx

switchport port-security

switchport port-security aging type inactivity

switchport port-security mac-address sticky

switchport port-security mac-address sticky xxxx.yyyy.zzzz vlan voice

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

Hi Preston,

That is what you do for interface config.

As per the interface config, you objective A will be accomplised; however if in gobal mode if you haven't included errdisable detect cause link-flap; then you objective B won't be met.

Although, I take that you would have definately included that in your global settings.

Hope your all your concerns and objective are met.

Regards,

Smitesh

PS: Please rate helpful posts.

Review Cisco Networking for a $25 gift card