Solved: Re: Port security

ohareka70 · ‎03-11-2011

Hello,

i want to setup port security on a switch in our campus lan. But i dont want users having to ring the service desk because they are locked out when the port is in err-disabled state. I want the port to clear itself after 10 mins

So if a user plugs into one port on the switch and attaches their mac address, no other user can plug into that port or it will err-disable that port. So when same user plugs into Gi0/44 he will err disable the ports. But will both ports clear and be usable again in 10 mins time.

Here is an example

interface GigabitEthernet0/12 (user plugged in here)
switchport access vlan 8
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0015.b7dd.2256
spanning-tree portfast
spanning-tree bpduguard enable
end

interface GigabitEthernet0/44
switchport access vlan 8
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
end

I enabled this globally on the switch

errdisable recovery cause psecure-violation
errdisable recovery interval 600

ranraju · ‎03-14-2011

Did you try with configuring "switchport port-security aging time" on the interface.. ? you have 2 variations in this command, you could either say "switchport port-security aging type inactivity" or you can give "switchport port-security aging time __" - with time in minutes. You can do some tests with these configurations.

Regards,

ranraju

View solution in original post

ranraju · ‎03-11-2011

Hi Kevin,

Yes, the configurations are looking good. And the errdisable recovery mechanism is correctly configured.

And the only difference between the configurations on gig0/12 and gig0/44 would be, on gig0/12 the mac-address that should be learnt dynamically is written into the configuration and the port should only be used by the user having that mac-address, but on gig0/44 when you do a shut/no shut on the interface, the secure mac-addresses learnt on that interfaces gets flushed out of the mac-address-table, and you can have a different user with another mac-address on that port.

So the configurations are looking OKAY, and should work as expected.

Regards,

ranraju

ohareka70 · ‎03-14-2011

Hi ranraju,

I had a go at this today and got a test user to plug into gig0/12 and gig0/44. Gig0/12 became err disabled and Gig0/44 was unusable. The user then plugged back into Gig0/12 and after 60 seconds his port was cleared and he was able to authenticate on the domain.

But gig0/44 stays in err disabled state until i bounce the port. Q. Is their any way to automatically have Gig0/44 clear itself as well?

I want the whole thing to be automated.

thanks

Kevin

ranraju · ‎03-14-2011

Did you try with configuring "switchport port-security aging time" on the interface.. ? you have 2 variations in this command, you could either say "switchport port-security aging type inactivity" or you can give "switchport port-security aging time __" - with time in minutes. You can do some tests with these configurations.

Regards,

ranraju

ohareka70 · ‎03-18-2011

Ranraju,

i went with port security on port gig0/12 and took it off gig/044. So user 1 can plug into his own port on gig0/12 and when he goes to the hot desk area of gig0/44 he can successfully login without getting locked out. An no one can login to his port on gig0/12 because his mac address is attahced there.

errdisable recovery cause psecure-violation
errdisable recovery interval 600

This is just a short term fix so i can roll this config out to around 60 users leaving 10 ports without port security and as a hot desk area.

Next project is to roll out Cisco NAC which looks really good when i was at a demo.

thanks

Kevin