cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
12
Helpful
12
Replies

port security problem

minimintu
Level 1
Level 1

we have 6513 switch..we have created vlans in this switch..port security has been enabled for each port in such a way that each port is capable of supporting 3 mac address..if any ports get disable then i have to manually first clear the port security of that port and then enable it again...now my question is that can aging time for port security can be defined??....plz help me out soon

IP address are allocated to each vlan through DHCP server

12 Replies 12

farkascsgy
Level 4
Level 4

Check this command:

switchport port-security aging {static | time time | type {absolute | inactivity}}

bye

FCS

Please rate me if I helped.

HI,

Yes aging can be defined. Use the following command for the same:

switchport port-security aging time 'x'

x being the time in seconds.

You can also configure aging based on the inactivity time period.

switchport port-security aging type inactivity

Refer the following link for details:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html#wp1055928

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

can this configuration works for CatOS also?...we have set based commands..how to do on using set based commands...help me out soon

This command can help you:

set port security mod/port... [enable | disable] [mac_addr] [age {age_time}]

[maximum {num_ of_mac}] [shutdown {shutdown_time}] [unicast-flood

{enable | disable }] [violation {shutdown | restrict }]

Further info:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_command_reference_chapter09186a00801fd94f.html#wp1054409

bye

FCS

Please rate me if I helped

Hi,

The following command might help:

'set port security a/b age x'

a/b being the interface number and x the time in minutes.

Use the following link for details about commands for configuring your switch:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2dd.html#14877

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

for eg if i configure the aging as

set port security 1/4 age 120

now after 120 min the entry for the MAC address is removed...now how do i activate it again?..i mean if my PC is connected to port 1/4 then after 120 mins i will be not the LAN...now how to get again on LAN on that port only, in this case port 1/4..

help meee

Hi,

Then you need to give the following command:

clear port security a/b mac-address

or

clear port security a/b all

this command will clear the MAC address from the list of secured addresses on the port. And then it would be learned and secured again.

It is recommended to disable port security before clearing MAC address on a port.

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

one last question..

just now i read that aging command cannot be used with dynamic MAC address...now if this is the case then how can i configure aging for ports

Hello,

it depends on the CatOS version and the Supervisor you are running, check this link:

Setting the Port Security Aging Type

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/sec_port.htm#wp1031791

Regards,

GNT

thanks a lot to everyone for helping me out...now i got all the answers to my questions

one issue is coming out..

i have configured port security for max 3 mac address and the aging time is 30 mins for 1/2 port...now if i put one pc in port 1/2 and then remove it after 2 mins and then again put another pc in the same port and then again remove and do it for third pc also...now if i put fourth pc in the same port that port should not take it as it configured for only 3 mac-addresses...how can the port be disabled if aging time i have defined 30 mins??...i want that fourth pc shouldnot be on LAN and port should not be disabled if aging time is defined for

30 mins(or any other defined time)...

help me out plzzzzzzzzzzzzzzzzzzzzzz

Hi,

The port must be getting disabled because you would have specified that as the action to be performed when a violation of the port-ssecurity occurs. Just remove the violation command and you should be done!

There must be a line in your configuration which would be like this:-

set port security A/B violation shutdown

Disable the above mentioned command and your problem should be resolved.

You can also set the violation action as to restrict which will drop all the packets from the insecure addresses but would keep the port enabled.

Hope this helps!

Regards,

Abhishek

Please rate all posts!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco