02-11-2009 12:33 AM - edited 03-06-2019 03:58 AM
I have begun implementing port security on all of my switches.
Interface FastEthernet0/1
description Access Port
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 200
switchport port-security
switchport port-security maximum 3
switchport port-security violation shutdown
switchport port-security aging time 5
switchport port-security aging type inactivity
no mdix auto
spanning-tree portfast
!
One of the issues I have run into is that the mac addresses are learned as static addresses on the port. If the user should happen to change ports a security violation occurs sicne the mac addresses is still learned on the previous port. What is the default behavior when aging is disabled? Will the previous port drop the static mac address thus allowing the user to change ports and casue a security violation?
02-11-2009 02:35 AM
Hello Gary,
with
switchport port-security aging time 5
switchport port-security aging type inactivity
you need to wait 5 minutes before plugging the device on another switch port.
notice that with maximum 3 a simple swap of two cables is allowed.
if you disable aging the MAC address is associated to the port with a unlimited lifetime.
Be aware that static MAC addresses are kept in a separate table that is quite smaller then normal CAM table.
Hope to help
Giuseppe
02-15-2009 10:57 PM
Thanks, I removed the aging time and instead increased the errdisable recovery interval to 600 sec (5 minutes). This should allow people to change the port they are connected to but prevent people from connecting other networking devices (dumb switches). My intent has been for the port to enter an errdisable state should more than 3 mac addresses be learned on the port and for the port to remain disabled for 5 minutes before recovering.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: