Cisco Support Community
Community Member

C3560 port-security MAC table / SNMP traps

Hi, I'm implementing a 3rd party NAC solution and integrating with some C3560 switches.

Switches currently have port-security configured, with max 2, sticky MACs set per port.

3rd party NAC uses SNMP MAC notification traps to detect when new device has been connected. At the moment, this needs to run alongside existing port-security. I've not noticed this before, but when a port with port-security comes up, all defined secure MACs are put in the mac address table for that port (even if they are not all connected).

Is this correct? Only this is causing issues with 3rd party product as it is detecting additional devices as being live when they are not.

Port-security will eventually be disabled, but is required whilst NAC solution is being evaluated/configured.

Lastly, I have found switches running c3560-ipbasek9-mz.122-25.SEB4.bin and the SNMP trap is inconsistent when port-security is enabled (ie the trap is not sent) - although it does appear to work correctly (so far) in c3560-ipbasek9-mz.122-55.SE9.bin, presumbaly the mac notication traps and port-security are supported together?



CreatePlease to create content