Port security problem on Catalyst 4006

Unanswered Question
Jul 11th, 2007

We're trying to set up port security on our catalysts 4006 without success.

We want avoid external computers to be connected to our LAN sockets.

We have more than 200 machines, so we would prefer to avoid entering all the macs using the learnt option. For example, this is the command used to config port 3/25:

set port security 3/25 enable violation shutdown (by default, age = 0, macs allowed = 1)

When I patch a workstation into the port, it learns the mac and shows it as secure, but when I remove the workstation, a "show port

security" command shows no secure address. I can then patch a different workstation into the same port, and it learns the new machine's mac

address.

As I understand it, the first machine's mac address should be learnt, and the port should be shut down when the second machine is patched in. That's the behaviour we're looking for.

I have tried setting the aging time, but the learnt mac disappears when we unplug the machine. Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andresguerrero Wed, 07/11/2007 - 22:41

Thanks for your reply. We know that using port security is not the most secure way, but I would like to know why is not working as expected on our Catalysts.

Jon Marshall Wed, 07/11/2007 - 23:01

Hi

Yes with the aging set to 0 it should not time out. We use pot-security on some of our 4006 switches and i believe it works as it should.

Could you possibly do a quick test if you haven't already.

Could you set the aging time to 1 and then see what happens, just to make sure it's not an aging thing. And could you send the config for one of the ports you have configured port security on.

Thanks

Jon

andresguerrero Wed, 07/11/2007 - 23:42

First of all, thanks for your help.

I've made all the tests again and I've attached a txt file with the configuration. That's what I've tried:

1) Set age=1 on one port (3/25)

2) Connect a PC

3) The mac's PC is learnt.

4) Wait for a minute: The table is cleared

5) Set now the age=0 on the same port

6) Check that the mac's PC is learnt again

7) Wait some time... everything is ok

...

8) I disconnect the PC: the mac is forgotten

9) Connect another PC: a new mac is learnt!

Thanks again.

Jon Marshall Thu, 07/12/2007 - 00:07

Hi

I need to test this in our lab when i get time. I reread the Catalyst docs for port security and found the aging description a but ambiguous.

It says if you set the age to 0 it disable mac-address aging. This could be read in 2 ways

1) If you set it to 0 the mac-address will never age out

OR

2) If you set it to 0 there will be no mac-address again meaning as soon as you disconnect the pc the port clears the mac-address entry.

Based on your desciption 2 looks more likely.

I think i have an old 4006 in our lab so like i say when i get a chance i'll have a look. Could be a while tho :)

Jon

andresguerrero Thu, 07/12/2007 - 00:45

I'm now sure that my problem is not related with age parameter.

I realised that even if I set the age a positive value (eg. 1400), the "secured macs" table is cleared after I unplugged the device from the port: The port never goes to shudown status.

I'll keep you informed if I solve this issue. Any help will be appreciated.

Actions

This Discussion