MACs Not Releasing 3750

Stuart McGrath · ‎03-01-2013

Hi,

We have a number of laptop users thst connect directly to their laptop and not Via a docking station.

When these users move to a meeting room or another location within the building (Same Switch Stack) The new port Error Disables as the MAC of the Laptop is still stuck on the original Switchport. When i issue

#clear port-security all

#clear mac address-table dynamic

the MAC remains stuk to the original port. Only when I shut the port, issue the commands, then no shut the port will it clear. Not even a simple shut/no shut removes the MAC.

Settings on source and destination switcports are the same

No sticky on the ports...For those that ask

Any ideas as users are moving into Conference/meeting rooms and being stuck with an Error disabled port to to duplicate MAC address.

Gregory Snipes · ‎03-01-2013

What does the configuration on these ports look like?

jamescox3 · ‎03-01-2013

When the ports go in to err-disabled, what does a sh log look like?

Stuart McGrath · ‎03-01-2013

Normal Psecure Violation caused by seeing the MAC in two locations.

14:22:16.567 GMT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0023.18d1.1d82 on port FastEthernet6/0/12.

Port Config: QoS stuff is from Auto QoS and not added Manually

switchport access vlan 130

switchport mode access

switchport nonegotiate

switchport voice vlan 508

switchport port-security maximum 3

switchport port-security

srr-queue bandwidth share 10 10 60 20

priority-queue out

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

service-policy input AutoQoS-Police-CiscoPhone

Gregory Snipes · ‎03-01-2013

You have a voice VLAN defined, are these laptops being plugged into IP phones at any point?

jamescox3 · ‎03-01-2013

Depending on business rules there can be a few options.

Disable port security in the conference room.

Set port security aging on the ports, after a set ammount of time the MAC address is released if the port is not in use.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html#wp1054687

Stuart McGrath · ‎03-01-2013

Business will specify that POrt-Security is needed.

Thanks ill take a look at the link although current aging time is 0....does this mean it doesnt apply or just that it is aged out immediately?

Gregory Snipes · ‎03-01-2013

Aging time 0 means infinite. This will never age out by time.

Stuart McGrath · ‎03-01-2013

Thanks guys, this may clear it up

Ill try and add an aging time and see what effect it has.

Thanks

Stuart McGrath · ‎03-01-2013

Apologies.....Yes.

I neglected that one

I see one MAC for the phone and another for the Laptop. As the phone is not unplugged I can't assume this would stick if unplugged too.

Gregory Snipes · ‎03-01-2013

This is likely to be the source of your problem. Since the link to the phone remains up port security will assume that the device is still present on that port.

If mobility between IP phones is highly desirable you may want to consider disabling port security for these ports.

Stuart McGrath · ‎03-01-2013

Hmm...Surely that shouldn't be the case?

I should say I have seen users elsewhere on our campus do the same with no issues...i.e 3560 switches are fine with this operation.