05-14-2010 06:53 AM - edited 03-06-2019 11:06 AM
Hello, I'm trying to configure port-security on my switchports; our security policy is to prevent a user from overflowing the CAM table, but we don't care if that user roams to different ports on the same switch. Current port config:
switchport port-security maximum 20
switchport port-security
switchport port-security aging time 10
switchport port-security violation restrict
switchport port-security aging type inactivity
The problem with that config is that if a user roams to a different port on the same switch, the port goes to err-disable state for 10 minutes. Is there a way to prevent that from happening, while still only allowing a max of 20 mac addresses on each port?
thanks in advance,
Mike
05-14-2010 07:19 AM
Hello Mike,
you should use a lower timer
something like:
switchport port-security aging time 2
you have already aging type inactivity
see
Hope to help
Giuseppe
05-14-2010 01:26 PM
Thanks for the reply, but that's not quite what I was after. The problem we have is that with those port-security settings, occasionally a user will plug into one jack, then move to a different jack and plug in, only to have his port err-disabled because he moved across the room to a different jack.
When this happens, the log file shows a number of these messages:
May 13 18:57:00: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxx.xxxx.xxxx on port FastEthernet2/0/16.
...and the port becomes err-disabled for 10 minutes. My problem is two-fold:
1) I can't reliably reproduce it. I've tried plugging a machine into one port and then another in rapid succession, but have been unable to make the port err-disable itself.
2) I don't even want this behavior. I want the mac address to be removed as soon as the link goes down, so that the user can simply plug into a different port without the port being err-disabled. The documentation is unclear as to how to get this result. If I issue a "no switchport port-security aging time" command, will that have the desired effect?
Thanks,
Mike
05-14-2010 06:53 PM
Hi Mike,
You might find this link useful.
http://packetlife.net/blog/2010/may/3/port-security/
Happy Networking !!!
Rgds,
Narendrakumar B
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: