Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
4
Replies

Port security on 2950,3560.

johnleeee
Level 1
Level 1

‎03-22-2006 04:11 AM - edited ‎03-03-2019 02:24 AM

Hi all,

I have very interesting question

related to port security on above mentioned switches.

We have IP telephony implemented and connection goes from PC to IP phone and IP phone(non Cisco) to Cisco switch.

On switches we have port security and

aging configured like this below:

switchport access vlan 20

switchport mode access

switchport voice vlan 60

switchport port-security

switchport port-security maximum 2

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security aging static

switchport port-security mac-address sticky 0007.1bdf.d5ea

switchport port-security mac-address sticky 0006.9013.26cf vlan voice

spanning-tree portfast

But when I want to connect my PC to another port this PC doesnt work because

port where is IP phone connected is still up. So my question is why these addresses doesnt time out when over there is aging configured (default absolute)?

How we can configure our switches to time out sticky addresses?

Any suggestions?

BR

jl

Labels:
0 Helpful
4 Replies 4

amit-singh
Level 8
Level 8

‎03-22-2006 04:27 AM

Hi,

You have configured mac-address sticky option and the swithces doesnot support the againg of stickey learned mac-addresses. The only way it will work if you take out the stiacky configuration out of the port.

USE no switchport port-security mac-address sticky interface configuration command.

Please go through the link for more info:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950scg/swtrafc.htm#wp1038546

HTH, Please rate if it does.

-amit singh

0 Helpful

pciaccio
Level 4
Level 4

‎03-22-2006 05:12 AM

The whole idea about Port Security is to stop people from pulling connections and placing a rogue PC or foreign device on the network. The Port security locks down the port to just one MAC address. It cannot time out nor would you want it timed out(if you were the person responsible for security in your corporation). The only way to wipe it away is to stop the security and clear the mac address from the port manually...Good Luck..Please rate..

0 Helpful

amit-singh
Level 8
Level 8
In response to pciaccio

‎03-22-2006 06:57 AM

Hi pciaccio,

I dont agree with your post above. Its only the Sticky mac-addresses that dont getwiped out even after the aging time and switch reboot because they are dynamically learned sticky addresses. If your adress is not stickey and its learned dynamically, it will be wiped out after the aging time.

Please go through the link posted in my first reply, it will give you more idea.

HTH,

-amit singh

0 Helpful

johnleeee
Level 1
Level 1
In response to amit-singh

‎03-23-2006 04:11 AM

Hi all,

thanks for your answers. Amit I agree with you.

Iv tested all possible alternatives. It is pity

that I cannot do this:

configure sticky command on port....switch adds MAC

I remove PC from port and plug it to another port without port security. Switch removes from table and

from port sticky learned MAC after defined aging time. And my PC in this moment can work.

When I disconnect PC from port and I connect this PC

to the same port with sticky ..switch adds MAC again.

It is crucial for example for notebooks. When someone move on from place to place..it is hard

for admins still refresh MAC from port to port (with sticky configured).

What is best solution to have port security?

I dont want to do 802.1x.

Any suggestions?

BR

jl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents