switchport port-security question

Unanswered Question
May 14th, 2010
User Badges:

Hello, I'm trying to configure port-security on my switchports; our security policy is to prevent a user from overflowing the CAM table, but we don't care if that user roams to different ports on the same switch.  Current port config:



switchport port-security maximum 20

switchport port-security

switchport port-security aging time 10

switchport port-security violation restrict

switchport port-security aging type inactivity


The problem with that config is that if a user roams to a different port on the same switch, the port goes to err-disable state for 10 minutes.  Is there a way to prevent that from happening, while still only allowing a max of 20 mac addresses on each port?


thanks in advance,

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ippolito Fri, 05/14/2010 - 13:26
User Badges:


Thanks for the reply, but that's not quite what I was after.  The problem we have is that with those port-security settings, occasionally a user will plug into one jack, then move to a different jack and plug in, only to have his port err-disabled because he moved across the room to a different jack.


When this happens, the log file shows a number of these messages:


May 13 18:57:00: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxx.xxxx.xxxx on port FastEthernet2/0/16.


...and the port becomes err-disabled for 10 minutes.  My problem is two-fold:


1) I can't reliably reproduce it.  I've tried plugging a machine into one port and then another in rapid succession, but have been unable to make the port err-disable itself.


2) I don't even want this behavior.  I want the mac address to be removed as soon as the link goes down, so that the user can simply plug into a different port without the port being err-disabled.  The documentation is unclear as to how to get this result.  If I issue a "no switchport port-security aging time" command, will that have the desired effect?


Thanks,

Mike

Actions

This Discussion