02-19-2019 07:42 AM - edited 03-08-2019 05:23 PM
Our team uses port security to force phones to not move from their locations for 911 location services, we have not found a way to exclude any access vlans with in the port security functions. Does anyone have a sample script that can clear port security macs for non voice vlan macs that are sticky or stuck on the port allowing for users to move pc / laptop with out rendering useless within same switch. We are using 4500's and some stackables.
02-19-2019 07:52 AM
Hello,
post a sample of a port configuration as it is right now, and a sample of what you want the port configuration to look like once the EEM script has executed...
02-19-2019 07:58 AM
interface GigabitEthernet1/11
switchport access vlan 321
switchport mode access
switchport voice vlan 2321
switchport port-security maximum 11
switchport port-security maximum 10 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky <<<if a pc is plugged in thru phone it traps the data vlan mac here this is what we want to remove.
switchport port-security mac-address sticky 001a.e85b.bbba vlan voice <<< this should remain to keep the port locked
spanning-tree portfast
ip dhcp snooping limit rate 100
end
We would want this script to run nightly to clear data macs as indicated.
Some switches are stackables with g1/0/1 naming vs g1/11 interface naming.
I would be happy with something that runs on 4500 and 9400's.
02-19-2019 09:42 AM
Hello,
since the sticky MAC addresses are different for each port, the EEM script cannot be totally automated. It comes down to configuring a section such as the one below for each interface (the script runs each day at midnight):
event manager applet CLEAR_MAC_STICKY
event timer cron cron-entry "0 0 * * *" maxrun 99999999
action 1.0 cli command "enable"
action 1.1 cli command "conf t"
action 1.2 cli command "interface GigabitEthernet1/11"
action 1.3 cli command "no switchport port-security mac-address sticky"
action 1.4 cli command "shut"
action 1.5 cli command "no shut"
action 1.6 cli command "switchport port-security mac-address sticky 001a.e85b.bbba vlan voice"
action 1.7 cli command "end"
02-19-2019 09:51 AM
I guess this may need to be a tcl script instead of eem then eem could be used to call up the tcl ever night.
02-19-2019 10:07 AM
I don't know if a TCL script would make much of a difference, to be honest. The sticky MAC address for the voice vlan is not a variable and is not dynamic, so somehow you need to enter it manually...
02-19-2019 10:12 AM
I dont want to touch the voice vlan sticky mac it will remain regardless of clearing the other. Couldnt a TCL read the mac for the data subnet entry then feed it back in with a no statement to clear it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide