Port Security Aging

edw · ‎01-10-2012

Hi,

I have tried to setup port security and it has worked to a point.

I have the port security locking out other mac address which aren't on my list, however the port aging doesn't seem to be working.

My list for the port is:

port security

port security max-mac-count 1

port security action shutdown

port security aging time 60

switchport access vlan x

spanning-tree portfast

mac-address-table secure 0000.0000.0000 fastethernet0/21 vlan x

All works except the aging isnt shutting the port down after 60 mins of inactivity.....

I want to get it to a point where if the port is unplugged for x amount of time. The port shutdown and requires intervention.

Thanks

Ed

cadet alain · ‎01-10-2012

Hi,

Taken from here:https://supportforums.cisco.com/docs/DOC-4868

You can issue the port security aging or switchport port-security aging time

command to set the aging time for all dynamic and static secure addresses on a port. When port security aging is enabled on a port, the secure addresses on the port are deleted only if they are inactive for the specified aging time.

So it will not do what you want to achieve.

Regards.

Alain

Don't forget to rate helpful posts.

edw · ‎01-10-2012

But surely the described statement is exactly what I'm doing?? Isn't it?

Port ageing is added

Mac address secure is added

Computer is removed for 60 minutes - no change....

Thanks

Ed

Sent from Cisco Technical Support iPhone App

cadet alain · ‎01-10-2012

Hi,

I don't see that the port will be errdisabled when the secure MAC address is deleted from CAM table, why would it anyway?

the port will get errdisabled if there is a MAC address different from the secure one that appears as src on the port.

This aging time feature is useful to prevent from MAC-MOVE notifications but not for disabling the port as far as I know.

Regards.

Alain

Don't forget to rate helpful posts.

edw · ‎01-10-2012

Hi,

Thanks for the reply. What's intreasting is the mac isn't deleted from the mac-address-table, so it's still able to reconnect afterwards.

Unless I'm miss understanding. If the mac is deleted from the table after the aging timeout then surely it won't be able to reconnect to the port until the mac address is re-added added ?

It looks like on the newer OS you can tell the aging timeout to make the port inactivity as part of aging activity.

However I'm using slightly older version and though the mac address removing should have worked..??

Thanks

Ed

edw · ‎01-12-2012

Anyone know how I could achieve what I want to do ?

Thanks

Ed

cadet alain · ‎01-12-2012

Hi,

the question is what exactly do you want to achieve ?

Regards.

Alain

Don't forget to rate helpful posts.

edw · ‎01-12-2012

Hi,

I want to get it to a point where if the port is unplugged for x amount of time. The port does a shutdown and requires intervention to reactive it.

IE I have a load of exhibits on our floor. However, sometimes exhibits get taken offsite for a few days and then brought back and plugged in. I want as a safty precaution for that port not to allow that machine back on until a a IT member has checked it.

Thanks

Ed

cadet alain · ‎01-12-2012

Hi,

which platform and which OS ?

Regards.

Alain

Don't forget to rate helpful posts.

edw · ‎01-12-2012

CIsco 3524XL with 12.0-5 (WC17)