I have tried to setup port security and it has worked to a point.
I have the port security locking out other mac address which aren't on my list, however the port aging doesn't seem to be working.
My list for the port is:
port security max-mac-count 1
port security action shutdown
port security aging time 60
switchport access vlan x
mac-address-table secure 0000.0000.0000 fastethernet0/21 vlan x
All works except the aging isnt shutting the port down after 60 mins of inactivity.....
I want to get it to a point where if the port is unplugged for x amount of time. The port shutdown and requires intervention.
Taken from here:https://supportforums.cisco.com/docs/DOC-4868
You can issue the port security aging or switchport port-security aging time
command to set the aging time for all dynamic and static secure addresses on a port. When port security aging is enabled on a port, the secure addresses on the port are deleted only if they are inactive for the specified aging time.
So it will not do what you want to achieve.
But surely the described statement is exactly what I'm doing?? Isn't it?
Port ageing is added
Mac address secure is added
Computer is removed for 60 minutes - no change....
Sent from Cisco Technical Support iPhone App
I don't see that the port will be errdisabled when the secure MAC address is deleted from CAM table, why would it anyway?
the port will get errdisabled if there is a MAC address different from the secure one that appears as src on the port.
This aging time feature is useful to prevent from MAC-MOVE notifications but not for disabling the port as far as I know.
Thanks for the reply. What's intreasting is the mac isn't deleted from the mac-address-table, so it's still able to reconnect afterwards.
Unless I'm miss understanding. If the mac is deleted from the table after the aging timeout then surely it won't be able to reconnect to the port until the mac address is re-added added ?
It looks like on the newer OS you can tell the aging timeout to make the port inactivity as part of aging activity.
However I'm using slightly older version and though the mac address removing should have worked..??
I want to get it to a point where if the port is unplugged for x amount of time. The port does a shutdown and requires intervention to reactive it.
IE I have a load of exhibits on our floor. However, sometimes exhibits get taken offsite for a few days and then brought back and plugged in. I want as a safty precaution for that port not to allow that machine back on until a a IT member has checked it.