cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
0
Helpful
3
Replies

switchport port-security question

ippolito
Level 1
Level 1

Hello, I'm trying to configure port-security on my switchports; our security policy is to prevent a user from overflowing the CAM table, but we don't care if that user roams to different ports on the same switch.  Current port config:

switchport port-security maximum 20

switchport port-security

switchport port-security aging time 10

switchport port-security violation restrict

switchport port-security aging type inactivity

The problem with that config is that if a user roams to a different port on the same switch, the port goes to err-disable state for 10 minutes.  Is there a way to prevent that from happening, while still only allowing a max of 20 mac addresses on each port?

thanks in advance,

Mike

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mike,

you should use a lower timer

something like:

switchport port-security aging time 2

you have already aging type inactivity

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1038546

Hope to help

Giuseppe

Thanks for the reply, but that's not quite what I was after.  The problem we have is that with those port-security settings, occasionally a user will plug into one jack, then move to a different jack and plug in, only to have his port err-disabled because he moved across the room to a different jack.

When this happens, the log file shows a number of these messages:

May 13 18:57:00: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxx.xxxx.xxxx on port FastEthernet2/0/16.

...and the port becomes err-disabled for 10 minutes.  My problem is two-fold:

1) I can't reliably reproduce it.  I've tried plugging a machine into one port and then another in rapid succession, but have been unable to make the port err-disable itself.

2) I don't even want this behavior.  I want the mac address to be removed as soon as the link goes down, so that the user can simply plug into a different port without the port being err-disabled.  The documentation is unclear as to how to get this result.  If I issue a "no switchport port-security aging time" command, will that have the desired effect?

Thanks,

Mike

Hi Mike,

     You might find this link useful.

http://packetlife.net/blog/2010/may/3/port-security/

Happy Networking !!!

Rgds,

Narendrakumar B

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco