Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Port security problem on Catalyst 4006

We're trying to set up port security on our catalysts 4006 without success.

We want avoid external computers to be connected to our LAN sockets.

We have more than 200 machines, so we would prefer to avoid entering all the macs using the learnt option. For example, this is the command used to config port 3/25:

set port security 3/25 enable violation shutdown (by default, age = 0, macs allowed = 1)

When I patch a workstation into the port, it learns the mac and shows it as secure, but when I remove the workstation, a "show port

security" command shows no secure address. I can then patch a different workstation into the same port, and it learns the new machine's mac

address.

As I understand it, the first machine's mac address should be learnt, and the port should be shut down when the second machine is patched in. That's the behaviour we're looking for.

I have tried setting the aging time, but the learnt mac disappears when we unplug the machine. Thanks in advance.

6 REPLIES
Hall of Fame Super Bronze

Re: Port security problem on Catalyst 4006

Andres,

I believe the only way to address your problem is by implementing dot1x in your environment.

Port-Security won't be enough to prevent external users from connecting to your network.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.3and8.4glx/configuration/guide/8021x.html

New Member

Re: Port security problem on Catalyst 4006

Thanks for your reply. We know that using port security is not the most secure way, but I would like to know why is not working as expected on our Catalysts.

Hall of Fame Super Blue

Re: Port security problem on Catalyst 4006

Hi

Yes with the aging set to 0 it should not time out. We use pot-security on some of our 4006 switches and i believe it works as it should.

Could you possibly do a quick test if you haven't already.

Could you set the aging time to 1 and then see what happens, just to make sure it's not an aging thing. And could you send the config for one of the ports you have configured port security on.

Thanks

Jon

New Member

Re: Port security problem on Catalyst 4006

First of all, thanks for your help.

I've made all the tests again and I've attached a txt file with the configuration. That's what I've tried:

1) Set age=1 on one port (3/25)

2) Connect a PC

3) The mac's PC is learnt.

4) Wait for a minute: The table is cleared

5) Set now the age=0 on the same port

6) Check that the mac's PC is learnt again

7) Wait some time... everything is ok

...

8) I disconnect the PC: the mac is forgotten

9) Connect another PC: a new mac is learnt!

Thanks again.

Hall of Fame Super Blue

Re: Port security problem on Catalyst 4006

Hi

I need to test this in our lab when i get time. I reread the Catalyst docs for port security and found the aging description a but ambiguous.

It says if you set the age to 0 it disable mac-address aging. This could be read in 2 ways

1) If you set it to 0 the mac-address will never age out

OR

2) If you set it to 0 there will be no mac-address again meaning as soon as you disconnect the pc the port clears the mac-address entry.

Based on your desciption 2 looks more likely.

I think i have an old 4006 in our lab so like i say when i get a chance i'll have a look. Could be a while tho :)

Jon

New Member

Re: Port security problem on Catalyst 4006

I'm now sure that my problem is not related with age parameter.

I realised that even if I set the age a positive value (eg. 1400), the "secured macs" table is cleared after I unplugged the device from the port: The port never goes to shudown status.

I'll keep you informed if I solve this issue. Any help will be appreciated.

225
Views
0
Helpful
6
Replies
CreatePlease to create content