03-11-2011 08:55 AM - edited 03-06-2019 04:02 PM
Hello,
i want to setup port security on a switch in our campus lan. But i dont want users having to ring the service desk because they are locked out when the port is in err-disabled state. I want the port to clear itself after 10 mins
So if a user plugs into one port on the switch and attaches their mac address, no other user can plug into that port or it will err-disable that port. So when same user plugs into Gi0/44 he will err disable the ports. But will both ports clear and be usable again in 10 mins time.
Here is an example
interface GigabitEthernet0/12 (user plugged in here)
switchport access vlan 8
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0015.b7dd.2256
spanning-tree portfast
spanning-tree bpduguard enable
end
interface GigabitEthernet0/44
switchport access vlan 8
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
end
I enabled this globally on the switch
errdisable recovery cause psecure-violation
errdisable recovery interval 600
Solved! Go to Solution.
03-14-2011 08:20 PM
Did you try with configuring "switchport port-security aging time" on the interface.. ? you have 2 variations in this command, you could either say "switchport port-security aging type inactivity" or you can give "switchport port-security aging time __" - with time in minutes. You can do some tests with these configurations.
Regards,
ranraju
03-11-2011 09:14 AM
Hi Kevin,
Yes, the configurations are looking good. And the errdisable recovery mechanism is correctly configured.
And the only difference between the configurations on gig0/12 and gig0/44 would be, on gig0/12 the mac-address that should be learnt dynamically is written into the configuration and the port should only be used by the user having that mac-address, but on gig0/44 when you do a shut/no shut on the interface, the secure mac-addresses learnt on that interfaces gets flushed out of the mac-address-table, and you can have a different user with another mac-address on that port.
So the configurations are looking OKAY, and should work as expected.
Regards,
ranraju
03-14-2011 01:14 PM
Hi ranraju,
I had a go at this today and got a test user to plug into gig0/12 and gig0/44. Gig0/12 became err disabled and Gig0/44 was unusable. The user then plugged back into Gig0/12 and after 60 seconds his port was cleared and he was able to authenticate on the domain.
But gig0/44 stays in err disabled state until i bounce the port. Q. Is their any way to automatically have Gig0/44 clear itself as well?
I want the whole thing to be automated.
thanks
Kevin
03-14-2011 08:20 PM
Did you try with configuring "switchport port-security aging time" on the interface.. ? you have 2 variations in this command, you could either say "switchport port-security aging type inactivity" or you can give "switchport port-security aging time __" - with time in minutes. You can do some tests with these configurations.
Regards,
ranraju
03-18-2011 02:36 PM
Ranraju,
i went with port security on port gig0/12 and took it off gig/044. So user 1 can plug into his own port on gig0/12 and when he goes to the hot desk area of gig0/44 he can successfully login without getting locked out. An no one can login to his port on gig0/12 because his mac address is attahced there.
errdisable recovery cause psecure-violation
errdisable recovery interval 600
This is just a short term fix so i can roll this config out to around 60 users leaving 10 ports without port security and as a hot desk area.
Next project is to roll out Cisco NAC which looks really good when i was at a demo.
thanks
Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide