Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4205
Views
0
Helpful
10
Replies

NAC and Sticky Port Security - 2960S

cdsemrad
Level 1
Level 1

‎09-14-2011 10:37 PM - edited ‎03-07-2019 02:14 AM

Hi All, was wondering if anyone as ever run into this problem before.

The company I work for has a floor that is using a stack of 2960S switchs and sticky MAC port security, with the exception of the last 24 ports which are NAC managed conference room ports utilizing a standard port security configuration.

The problem is that when a host from that floor (like a laptop) needs to connect to a NAC managed port in one of the conference rooms it errors out that conference room port even though the conference room ports are not using sticky MAC port security and of course the only way to get the host connected is to clear the sticky from its originating port and cycle the conference room port.

Any idea on how we could work around this issue without changing the sticky port config?

TIA

Labels:
0 Helpful
10 Replies 10

MikeyDunn1
Level 1
Level 1

‎09-15-2011 08:33 AM

Hey Chris,

Can you post your config for me?

Thanks,

Mikey

0 Helpful

cdsemrad
Level 1
Level 1
In response to MikeyDunn1

‎09-15-2011 09:04 AM

Hey Mikey, here are the port configs...if you want the entire thing then let me know, but it will take me a minute to scrub it down. =)

NAC Managed Port Config -

interface GigabitEthernet2/0/48
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast

STICKY MAC Port Config -

interface GigabitEthernet1/0/16
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky xxxx.xxxx.xxxx
no cdp enable
spanning-tree portfast

0 Helpful

MikeyDunn1
Level 1
Level 1
In response to cdsemrad

‎09-15-2011 12:15 PM

Chris,

What type of error do you receive (or what state is the port in) on the switch when you connect a device to a NAC managed port and do you resolve this by simply issuing the 'shut' and 'no shut' commands on the port in question?

Thanks,

Mikey

0 Helpful

cdsemrad
Level 1
Level 1
In response to MikeyDunn1

‎09-15-2011 12:56 PM

Nah, this only happens when you introduce a host that uses sticky to the NAC controlled port.

For example host A attached to port 1 is using sticky port security and decides to hold a meeting in the conference room and connects to port 40 which is a NAC controlled port using dynamic port security. (Note: this is all one 2960S switch)

Once the host attaches to port 40 the port goes to a error disabled state.

The resolve is to clear the MAC on port 1, and shut / no shut port 40 in the conference room...then everyone is happy.

0 Helpful

MikeyDunn1
Level 1
Level 1
In response to cdsemrad

‎09-15-2011 02:21 PM

I'm trying to simulate the problem you are having in my test environment. I don't believe the switch would deny the learned MAC address between ports but I am a beginner so I may be wrong.

Can you either post or attach a copy of your full config. I think I have a solution for you but I want to make sure.

Thanks!

Mikey

0 Helpful

cdsemrad
Level 1
Level 1
In response to MikeyDunn1

‎09-15-2011 03:00 PM

Here ya go, have fun... =)

xxxxxxxxxxxxx-2960S-1#sh run
Building configuration...

Current configuration : 33617 bytes
!
! Last configuration change at 20:05:50 UTC Thu Sep 15 2011 by
! NVRAM config last updated at 16:47:21 UTC Wed Sep 14 2011 by
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xxxxxxxxxxxxx-2960S-1
!
boot-start-marker
boot-end-marker
!
logging buffered notifications
no logging console
no logging monitor
enable secret 5
!
username privilege 15 user-maxlinks 4 password 7
aaa new-model
!
!
aaa group server tacacs
server xxx.xxx.xxx.xxx
!
aaa authentication fail-message ^C
****************************
*                          *
*  Authentication Failure! *
*                          *
****************************
^C
aaa authentication login default group  local-case
aaa authentication login console local-case
aaa authentication enable default group  enable
aaa authorization config-commands
aaa authorization exec default group  local
aaa authorization commands 0 default group  local
aaa authorization commands 1 default group  local
aaa authorization commands 15 default group  local
aaa authorization reverse-access default group
aaa accounting exec default start-stop group
aaa accounting commands 0 default start-stop group
aaa accounting commands 1 default start-stop group
aaa accounting commands 15 default start-stop group
aaa accounting connection default start-stop group
aaa accounting system default start-stop group
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c2960s-48ts-l
switch 2 provision ws-c2960s-48ts-l
authentication mac-move permit
no ip source-route
!
!
ip dhcp snooping vlan xxx,xxx,xxx,xxx,xxx
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip domain-name xxxxxxxx.com
vtp domain xxxxxx
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
 
        quit
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
vlan 1
name xxx.xxx.xxx.xxx/24-CAM
!
vlan 3
name xxx.xxx.xxx.xxx/24-NAC-Auth
!
vlan 7
name xxx.xxx.xxx.xxx/24-NAC-CR-Access
!
vlan 10
name xxx.xxx.xxx.xxx/24-Internet-Only
!
vlan 2
name xxx.xxx.xxx.xxx/24-floor vlan
!
vlan 3
name xxx.xxx.xxx.xxxx/24-CAM
!
!
!
!
!
!
interface Port-channel1
switchport trunk native vlan xxx
switchport mode trunk
ip dhcp snooping trust
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
description
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0040.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/3
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0025.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/4
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0026.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/5
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 6431.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/6
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/7
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 6431.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/8
description
switchport access vlan 2
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0000.
switchport port-security mac-address sticky 0004.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/9
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 6431.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/10
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 78e7.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/11
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky f4ce.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/12
description
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address sticky
shutdown
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/13
description
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 705a.
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/14
description
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 68b5.
no cdp enable
spanning-tree portfast

!!!!!!!!! SAME CODE ALL THE WAY THROUGH PORT 48!!!!!!!!!!!!!!!!!!!!!!

interface GigabitEthernet1/0/49
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet1/0/50
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet1/0/51
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet1/0/52
switchport trunk native vlan xxx
switchport mode trunk
channel-group 1 mode on
ip dhcp snooping trust
!
interface GigabitEthernet2/0/1
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.8198.09c2
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/2
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001f.293c.0d1f
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/3
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/4
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 68b5.99e5.060f
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/5
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000f.2074.4c34
no cdp enable
spanning-tree portfast
!

!!!!!!!!!!!!!!!!!!SAME CODE THROUGH PORT 38!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!! THE REST ARE NAC PORTS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
interface GigabitEthernet2/0/38
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/39
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/40
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security aging time 1000
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/41
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/42
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/43
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/44
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!        
interface GigabitEthernet2/0/45
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/46
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/47
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/48
description Conference Room
switchport access vlan 3
switchport mode access
switchport port-security aging time 10
switchport port-security aging type inactivity
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet2/0/49
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet2/0/50
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet2/0/51
switchport mode trunk
shutdown
ip dhcp snooping trust
!
interface GigabitEthernet2/0/52
switchport trunk native vlan xxx
switchport mode trunk
channel-group 1 mode on
ip dhcp snooping trust
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
ip default-gateway xxx.xxx.xxx.xxx
ip http server
ip http access-class 99
ip http authentication aaa login-authentication default
ip http secure-server
!
ip sla enable reaction-alerts
logging esm config
logging trap notifications
logging facility local2
logging xxx.xxx.xxx.12
logging xxx.xxx.xxx.160
access-list 10 remark *****************************  SNMP.Read-Only  *******************************
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.160
access-list 10 deny   any log
access-list 10 remark ******************************************************************************
access-list 97 remark ******************************  This-Host.Out  *******************************
access-list 97 deny   any
access-list 97 remark ******************************************************************************
access-list 98 remark *****************************  SNMP.Read-Write  ******************************
access-list 98 permit xxx.xxx.xxx.xxx log
access-list 98 permit xxx.xxx.xxx.xxx log
access-list 98 deny   any log
access-list 98 remark ******************************************************************************
access-list 99 remark ******************************  Management.In  *******************************
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 permit xxx.xxx.xxx.xxx
access-list 99 deny   any log
access-list 99 remark ******************************************************************************
snmp-server community  RO 10
snmp-server community  RW 98
snmp-server tftp-server-list 99
snmp-server system-shutdown
snmp-server enable traps snmp linkdown linkup
snmp-server host xxx.xxx.xxx.xxx  mac-notification snmp
snmp-server file-transfer access-group 99 protocol tftp
tacacs-server host xxx.xxx.xxx.xxx single-connection key 7
tacacs-server administration
!
!
banner login ^C
**********************************************************************************************
*                                           WARNING                                          *

^C
!
line con 0
session-timeout 10
password 7
login authentication console
transport preferred ssh
transport output telnet ssh
line vty 0 4
session-timeout 5
access-class 99 in
access-class 97 out
exec-timeout 5 0
password 7
width 132
history size 64
transport preferred ssh
transport input ssh
transport output none
line vty 5 15
access-class 99 in
access-class 97 out
exec-timeout 0 1
password 7
no exec
transport input none
transport output none
!
ntp server xxx.xxx.xxx.xxx prefer version 3
ntp server xxx.xxx.xxx.xxx version 3
mac address-table aging-time 3600
end

xxxxxxxxxxx-2960S-1#

0 Helpful

cdsemrad
Level 1
Level 1
In response to MikeyDunn1

‎09-16-2011 10:34 AM

The fix is to increase the aging time on the NAC controlled ports to 1000.

0 Helpful

MikeyDunn1
Level 1
Level 1
In response to cdsemrad

‎09-16-2011 10:40 AM

Thanks for the update. That's interesting that altering that value would resolve your issue.

I have to ask, when you remove a device from a sticky port to a NAC controlled port now, does the learned Mac address on the sticky port still stay on the port? Or does the switch see that mac address on another port and removes the sticky mac address entry?

0 Helpful

cdsemrad
Level 1
Level 1
In response to cdsemrad

‎09-17-2011 04:49 AM

it was friday, so will look into that on monday...good question though, thinking its a bug =)

0 Helpful

cdsemrad
Level 1
Level 1
In response to cdsemrad

‎09-15-2011 02:34 PM

Yeah, I just tried to recreate the problem with a small lab myself and didnt have any problems, however the switch is a 2960G with an older IOS and is not stacked. =/

I opened a TAC case and will let you know what we find out.

Thanks,

Chris

0 Helpful
Customers Also Viewed These Support Documents