"Switchport port-security" and PC move

Unanswered Question
Apr 24th, 2008

Hi all,

I have switch with port security enabled on access interfaces. Everything works fine until I move the authorized PC from the port, where switch learned its MAC address to another port. The problem is, that the PC is not allowed; the switch does not age out PC's MAC on the 1st port. If I lower aging time, I can rather completly turn port-security off. The issue is not related to number of allowed addresses on 2nd port, we do not reach the limit. Is there a solution for this (except 802.1x)? If not, switchport port-security is unusable, there are legitimate requirements for end station moves in every network.

Thank you,

Lubomir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
cisco_lad2004 Thu, 04/24/2008 - 03:40

Lubomir

when a switch detects a MAC address it already knows coming in on another port than the one it knows it would flush 1st entry and update with most recent.

so unless you are using "mac-address sticky" u should not have problems.

what does the show when u move the PC to another port ?

Sam

andrew.butterworth Thu, 04/24/2008 - 03:42

Unless you have enabled 'sticky' MAC addresses with port-security then the behaviour you describe is incorrect. When a PC is disconnected from the switch (i.e. cable disconnected) the switch will immediately age the MAC address out and moving the PC to another port will not be an issue. If you are using IP Phones and the PC's are plugging into the IP Phones then you will have an issue, the only workaround for this is to reduce the aging timer.

HTH

Andy

mohammedmahmoud Thu, 04/24/2008 - 04:01

Hi,

I believe that as a work around, you can clear the port-security on the old port using the "clear port-security" command (whether dynamic or sticky) without the need to remove the port-security configuration.

BR,

Mohammed Mahmoud.

lliska Thu, 04/24/2008 - 04:18

Thanks for your replies, however, changing aging time is not a solution (this way the port-security would not provide "security") and clearing address entries is not acceptable as well, in would cause an administrative overhead even in a small-size network (users need to plug their notebooks at their workspaces, in the meeting rooms, etc.; they migrate).

We have to implement different security method (or Cisco recodes IOS :-).

Thanks.

Lubomir

cisco_lad2004 Thu, 04/24/2008 - 04:47

as per previous replies, you should not be having this issue in 1st place.

you could paste in your show log, which might give an indication on root issue.

Sam

lliska Thu, 04/24/2008 - 05:39

Hi Sam,

users are plugged into phones or sometimes even to small hubs in the offices where the wiring was not sufficient. So port never goes to not-connected state.

I only wanted to know if I did not miss any port-security configuration option, which would enable "per-switch" and not "per-port" secure MAC address learning.

Lubomir

mlkahn Thu, 05/08/2008 - 09:57

Lubomir,

I work in a place where we do use the per-port port-security and you are correct, it does not allow for a PC to move from one port to another, without a lot of overhead costs in reconfiguring the port each time. We pay the costs. No, there is no way, that I have found, that allows the mac-addresses to be secure per-switch. The funny thing is that those port-security entries only shut off the PC moving within the same switch. It can move to different switch and be fine (as long as the switches are hub&spoke from a Dist, rather than "daisy-chained"). If you had funds for conference areas to have a different switch, this could work for you.

Our workaround has been to implement vmps throughout our campus. Unfortunately, vmps on Catalyst 6500s only works with CatOS. It works very well, though. We are checking into 802.1x as our next move.

rsohi Thu, 05/08/2008 - 12:49

Lubomir, we have the same issue. Michelle has stated that in the post. What I do when this occurs is a 'shut' 'no shut' on the port.

andrea_varriale Thu, 08/28/2008 - 16:57

Hello.

I am not a networking expert and I hope that what I am going to say is enough related to this post and hopefully not so wrong... :)

First of all, is it true that when configuring

"switchport port-security mac-address xxxx.yyyy.zzzz" on a port a static entry is created in the MAC address table?

If so, what is it supposed to happen when moving the device to another port (in the same VLAN) with no port-security configured?

Will there be both a static and a dynamic entry in the MAC address table? (I guess no)

I hope my questions do not sound too stupid. :)

Unfortunately I have not the possibility to test on a real device or simulator right now.

Regards

Andrea

mlkahn Thu, 08/28/2008 - 17:46

Andrea,

On the same switch or daisy-chained switch:

If the second port has port-security enabled/configured, then the second port will either err-disable or shutdown, depending upon whether it's IOS or CatOS. The show log will show that the port err-disabled because of a port security violation. If the second port does NOT have port-security, then the machine will just not be able to do any networking, and it will be unclear as to why. If it then moves back to the first port, the machine will work fine. Yes, a static secure mac-address is created in the table by port-security. There is also a difference in IOS versions, and whether or not a mac-address is "secure-configured", or "secure-dynamic".

By daisy-chained, I mean that two switches interconnect without going through a central "distribution" switch.

You can see the port security configured mac-addresses by typing "show port-security address-table", in an IOS switch. You have to be in enable mode.

I hope this helps,

Michele

Actions

This Discussion