09-06-2010 02:38 AM - edited 03-06-2019 12:50 PM
Dear All,
I am stuck in a problem. Hope you can share your experience and shed some light on it.
[MY SETUP]
I have two access point connected to a switch via truck ports as these AP's are broadcasting multiple SSID's with their respective VLANS.
I have implemented port security as following on both the trunk ports.
interface FastEthernet0/1
description Trunk Link to Access Point 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 20
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection trust
end
interface FastEthernet0/2
description Trunk Link to Access Point 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,30
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 20
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection trust
end
[PROBLEM]
When a LAN user associates with an AP lets say AP-1, it gets connected and his mac is added to the port security table.
kw-hq-sw-2#sh port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 0022.55d4.7ee7 SecureDynamic Fa0/1 1 (I)
Now if the user takes his laptop to a location where the other AP-2 is located and tries to connected to it. A port security violation is generated because his mac is already associated with fa 0/1 for 1 minute.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0022.55d4.7ee7 on port FastEthernet0/2.
%PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/2 due to MAC address 0022.55d4.7ee7 on VLAN 10
He is only able to connect to the AP-2 on int fa0/2 until the port-security aging time of 1 miutes expires on fa0/1.
Thanks in advance.
09-07-2010 11:08 PM
Guys,
Is it a good idea to put each AP on separate Switch to avoid this problem, isn't there any possibility to manage all the AP's on one switch.
09-12-2013 07:56 AM
Hello Samir
Issue here is the mobility of user can have over the networks, so even you put the second AP, over another switch, with Port Security enable, it will detect a violation, regarding the same MAC Address into two differents port.
Check this stamente abou port Security:
"If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.
Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation. "
The issue is the MAC keep into tyhe table for that port, so after aging expires, you could not get this host, get able to send traffic again, as you realize.
So I could imagine the reason that you add port Security, but think the pros and cos of having this, but mobility user can´t be able to receive or send traffic after expires the timer, there´s always trade in/off .
09-12-2013 01:15 PM
Even though you put the 2nd AP into different switch problem won't go away as long as those switches interconnected. As long as you know these two ports are configured for AP & physically secure (no one remove the AP & connect some other device), simply get rid of port security.
HTH
Rasika
09-13-2013 02:11 AM
I am guessing your access points are Autonomous?
If so, you may need to remove port security, otherwise clients who roam may be blocked from the network as their MAC address will appear on two different L2 ports. The aging timer will expire if the device goes off the network for 60 seconds but it won't if the client is roaming.
If you use a controller, you would not have this issue because the switchport would only see the AP's MAC address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide