PC can't work on another port when port security is enabled

Unanswered Question
Nov 14th, 2009
User Badges:

Dears,


For the infrastructure security purpose, I configured port security feature on the port and DHCP snooping on the switch. After that I found the problem that when the PC plugged into the port first, it can obtain the ip address through DHCP, but if the PC moved to another port in the same VLAN on the same switch, it can't obtain the ip address any more while other PCs plugged into the same port worked correctly.


what would be the reason to prevent the PC from obtaining the ip address. Port security feature or DHCP snooping?


Thanks,

Kirin



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
mmacdonald70 Sat, 11/14/2009 - 08:31
User Badges:

Port security. When the switch learns an address on one port, it is considered a violation to see it on another port. Clear the mac address from the first port.

qilin zhang Sat, 11/14/2009 - 19:39
User Badges:

Hi Mmacdonald,


Does that mean Port Security feature is not suitable for the LAN which has a lot of laptops and need change their location frequently.


Thanks

Kirin

Muhammad Anser Khan Sun, 11/15/2009 - 04:53
User Badges:

No. You can set the aging time for releasing MAC address from the port.


for example:

Following command will do When there is no traffic for 1 mins under the interface. It will release the MAC address from this port:


Switch(config-if)#switchport port-security aging time 1


Switch(config-if)#switchport port-security aging type inactivity


HTH

Regards,

Anser

tharsan86 Sat, 11/14/2009 - 10:23
User Badges:

Hi Kirin


Cisco Port-Security can help to


•restrict the MAC-address or addresses that can connect through a switchport [default: first connected device MAC Address]

•restrict the number of MAC-Addresses that can connect through a switchport [default is 1 and maximum is 128]

•set aging in minutes of the MAC Addresses registed

•Action to take when there is a violation detected (default is to disable the port and send an SNMP Trap message to the SNMP management server (if any))


To display the security MAC-Address table


Switch# show port-security address- lists all the learned MAC addresses by interface


Show port-security interface fa0/1 - shows the detailed port security settings for an interface, including enable/disable status


To clear the violation on the port


Issue the following command:


Switch#clear port-security interface sticky fa0/0(choose the down int )


and then issue commands "shut" and "no shut" on the interface that has been put in down/down state due to port-security violation.



***pls rate if it helps***


Thanks

Tharsan

Actions

This Discussion