cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4496
Views
1
Helpful
4
Replies

port-security aging time 1

samirfarooq
Level 1
Level 1

Dear All,

I am stuck in a problem. Hope you can share your experience and shed some light on it.

[MY SETUP]

I have two access point connected to a switch via truck ports as these AP's are broadcasting multiple SSID's with their respective VLANS.

I have implemented port security as following on both the trunk ports.

interface FastEthernet0/1

description Trunk Link to Access Point 1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

switchport nonegotiate

switchport port-security maximum 20

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection trust

end

interface FastEthernet0/2

description Trunk Link to Access Point 2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,20,30

switchport mode trunk

switchport nonegotiate

switchport port-security maximum 20

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection trust

end

[PROBLEM]

When a LAN user associates with an AP lets say AP-1, it gets connected and his mac is added to the port security table.

kw-hq-sw-2#sh port-security address

          Secure Mac Address Table

------------------------------------------------------------------------

Vlan    Mac Address       Type                     Ports   Remaining Age

                                                              (mins)

----    -----------       ----                     -----   -------------

10    0022.55d4.7ee7    SecureDynamic             Fa0/1        1 (I)

Now if the user takes his laptop to a location where the other AP-2 is located and tries to connected to it. A port security violation is generated because his mac is already associated with fa 0/1 for 1 minute.

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0022.55d4.7ee7 on port FastEthernet0/2.

%PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/2 due to MAC address 0022.55d4.7ee7 on VLAN 10

He is only able to connect to the AP-2 on int fa0/2 until the port-security aging time of 1 miutes expires on fa0/1.

Thanks in advance.  

4 Replies 4

samirfarooq
Level 1
Level 1

Guys,

Is it a good idea to put each AP on separate Switch to avoid this problem, isn't there any possibility to manage all the AP's on one switch.

Hello Samir

Issue here is the mobility of user can have over the networks, so even you put the second AP, over another switch, with Port Security enable, it will detect a violation, regarding the same MAC Address into two differents port.

Check this stamente abou port Security:

"If traffic with a secure  MAC address that is configured or learned on one secure port attempts to  access another secure port in the same VLAN, applies the configured  violation mode.


Note After  a secure MAC address is configured or learned on one secure port, the  sequence of events that occurs when port security detects that secure  MAC address on a different port in the same VLAN is known as a MAC move  violation. "

The issue is the MAC keep into tyhe table for that port, so after aging expires, you  could not get this host, get able to send traffic again, as you realize.

So I could imagine the reason that you add port Security, but think the pros and cos of having this, but mobility user can´t be able to receive or send traffic after expires the timer,  there´s always trade in/off .

Even though you put the 2nd AP into different switch problem won't go away as long as those switches interconnected. As long as you know these two ports are configured for AP & physically secure (no one remove the AP & connect some other device), simply get rid of port security.

HTH

Rasika

devils_advocate
Level 7
Level 7

I am guessing your access points are Autonomous?

If so, you may need to remove port security, otherwise clients who roam may be blocked from the network as their MAC address will appear on two different L2 ports. The aging timer will expire if the device goes off the network for 60 seconds but it won't if the client is roaming.

If you use a controller, you would not have this issue because the switchport would only see the AP's MAC address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco