Port-Security MAC address issue

siddiqirf · ‎08-03-2011

I am having ane issue with port-security, in that when a user moves his laptop from one desk to another, i have to clear off their mac-address from the old port before they can plug into the new port.

With my port-security configuration this shouldnt happen, as I am not using MAC-address sticky command. So when the user unplugs his laptop from a switchport the mac-address should immediately cleared off. This will allow him to use that mac-address (Laptop) on anotehr port. But this is not happening and each time I have to log on and clear the mac-address off the old port before user can use the new port.

interface GigabitEthernet0/xx

switchport access vlan 100

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security violation

spanning-tree portfast

spanning-tree bpduguard enable

Please advise.

cadet alain · ‎08-03-2011

Hi,

Secure mac addresses do not age out by default but you can specify after how many time you want them to get cleared off the CAM table with these 2 commands:

-switchport port-security aging type {absolute| inactivity}

-switchport port-security aging time where time is in mins ranging from 0 to 1440 where 0 is never

The second command can be entered in global config or on specific interfaces.

So you'll have to wait for minimum 1 min before plugging into new port afaik.

Regards.

Alain.

Don't forget to rate helpful posts.

siddiqirf · ‎08-03-2011

How can I configure it so that users can instantly move switch ports (desks) without having to wait for one minute. Is one minute the minimum i can configure/

Also I cant see anywhere in the cisco documentation where it says that 0 means never expire.

Please advise.

cadet alain · ‎08-03-2011

Hi,

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042499

taken from the link:

If the port link goes down, all the dynamically learned addresses are removed.

So shutting down the port before unpluging should clear instantaneously the mac address from the table but it wont be automatic.

Regards.

Alain.

Don't forget to rate helpful posts.

siddiqirf · ‎08-03-2011

Are you saying that if the user plugs his laptop off a switchport, then this should be enough to remove the dynamically learned addresses immediately, or does it still wait for the aging timer?

Also doing a manual shut will be a nightmare for me? we have 50 laptop users, moving desks all day.

The switchport port-security aging time command allows one minute as the minimum. Is this my best option ?

cadet alain · ‎08-03-2011

siddiqirf a écrit:

Are you saying that if the user plugs his laptop off a switchport, then this should be enough to remove the dynamically learned addresses immediately, or does it still wait for the aging timer?

NO you told it yourself in your initial post and this is the problem you're trying to solve.

Also doing a manual shut will be a nightmare for me? we have 50 laptop users, moving desks all day.

The switchport port-security aging time command allows one minute as the minimum. Is this my best option ?

Yes indeed the manual sh/no sh will be a nightmare

Yes the minimum is 1 minute. AFAIK with port-security this is your best option.

If you were using dot1x then on some platform you could use authorization mac-move permit which would solve your problem.

Regards.

Alain.

Don't forget to rate helpful posts.