Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1964
Views
0
Helpful
3
Replies

port-security does not work with SecureDynamic macs

Go to solution
chris.king
Level 1
Level 1

‎11-07-2008 03:43 AM - edited ‎03-06-2019 02:22 AM

I'm trying to get serious with port-security and I'm running out ideas on how to get it to work with dynamic macs.

I've got a stack of 3750 running IOS Ver 12.1 (19).

My port config looks like this:

nterface FastEthernet4/0/27

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 2

switchport port-security aging time 5

switchport port-security violation restrict

switchport port-security aging type inactivity

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

When I plug in my laptop into this port, it learns the mac directly and the show port-security table looks like this:

2 000f.1fbe.2669 SecureDynamic Fa4/0/27 5 (I)

and the ps interface settings like this:

3750-LL-1#show port-security interface fa4/0/27

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 5 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address : 000f.1fbe.2669:2

Security Violation Count : 0

When I unplug my laptop, the mac address is deleted completely from the switch and not stored for the aging time of 5 minutes as in the config thus making the port not unsafe.

I'm running out of steam and time on this one so pls help!

Chris

btw,

Sticky and static addresses work fine but I have to work with dynamic addresses.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.butterworth
Level 7
Level 7

‎11-13-2008 01:23 PM

What you are seeing is the normal behaviour. If a port transitions to the down state (you unplug the laptop) the secure MAC address is removed (it's removed from the CAM table as well). The aging time that is configured does not come into play if the port is down. If you leave the laptop plugged in and it doesn't send any packets for 5-minutes then its MAC will be removed from the port-security table (it will stay in the CAM table for the STP aging time, default being 300-seconds).

It sounds like you want a featute that isn't available - i.e. sticky MAC address with an aging timer?

HTH

Andy

View solution in original post

0 Helpful
3 Replies 3

Go to solution
drolemc
Level 6
Level 6

‎11-13-2008 12:53 PM

The securedynamic function does not work after port security enabled.

This is bug.

After you have set the maximum number of secure MAC addresses on a port, port security includes the secure addresses in the address table in one of these ways:

• You can statically configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.

• You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

• You can statically configure a number of addresses and allow the rest to be dynamically configured.

If the port has a link-down condition, all dynamically learned addresses are removed.

Following bootup, a reload, or a link-down condition, port security does not populate the address table with dynamically learned MAC addresses until the port receives ingress traffic.

A security violation occurs if the maximum number of secure MAC addresses have been added to the address table and the port receives traffic from a MAC address that is not in the address table.

For further information click this link.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/port_sec.html

0 Helpful

Go to solution
andrew.butterworth
Level 7
Level 7

‎11-13-2008 01:23 PM

What you are seeing is the normal behaviour. If a port transitions to the down state (you unplug the laptop) the secure MAC address is removed (it's removed from the CAM table as well). The aging time that is configured does not come into play if the port is down. If you leave the laptop plugged in and it doesn't send any packets for 5-minutes then its MAC will be removed from the port-security table (it will stay in the CAM table for the STP aging time, default being 300-seconds).

It sounds like you want a featute that isn't available - i.e. sticky MAC address with an aging timer?

HTH

Andy

0 Helpful

Go to solution
chris.king
Level 1
Level 1
In response to andrew.butterworth

‎11-18-2008 01:15 AM

Thanks Andrew. Basicly the result of my lab testing is this:

You can use port security for nodes such as pcs that support securesticky mac addresses but as soon as you use ip phones on a voice vlan you can not use port-security as ip phones only can be configured as securedynamic devices.

Thanks to all for the tips an help.

Although my testing was not successfull, I have learnt a lot!

I will go back to using mac access lists which is apain in the ... but works well!

Chris

0 Helpful
Top