Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

switchport port-security question

Hello, I'm trying to configure port-security on my switchports; our security policy is to prevent a user from overflowing the CAM table, but we don't care if that user roams to different ports on the same switch.  Current port config:

switchport port-security maximum 20

switchport port-security

switchport port-security aging time 10

switchport port-security violation restrict

switchport port-security aging type inactivity

The problem with that config is that if a user roams to a different port on the same switch, the port goes to err-disable state for 10 minutes.  Is there a way to prevent that from happening, while still only allowing a max of 20 mac addresses on each port?

thanks in advance,

Mike

3 REPLIES
Hall of Fame Super Silver

Re: switchport port-security question

Hello Mike,

you should use a lower timer

something like:

switchport port-security aging time 2

you have already aging type inactivity

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1038546

Hope to help

Giuseppe

New Member

Re: switchport port-security question

Thanks for the reply, but that's not quite what I was after.  The problem we have is that with those port-security settings, occasionally a user will plug into one jack, then move to a different jack and plug in, only to have his port err-disabled because he moved across the room to a different jack.

When this happens, the log file shows a number of these messages:

May 13 18:57:00: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxx.xxxx.xxxx on port FastEthernet2/0/16.

...and the port becomes err-disabled for 10 minutes.  My problem is two-fold:

1) I can't reliably reproduce it.  I've tried plugging a machine into one port and then another in rapid succession, but have been unable to make the port err-disable itself.

2) I don't even want this behavior.  I want the mac address to be removed as soon as the link goes down, so that the user can simply plug into a different port without the port being err-disabled.  The documentation is unclear as to how to get this result.  If I issue a "no switchport port-security aging time" command, will that have the desired effect?

Thanks,

Mike

Re: switchport port-security question

Hi Mike,

     You might find this link useful.

http://packetlife.net/blog/2010/may/3/port-security/

Happy Networking !!!

Rgds,

Narendrakumar B

476
Views
0
Helpful
3
Replies