NAC and switchport port-security

Dear,Friends
I have NAC working on Out-Of-Band Vitual Gateway.
When I Enable Port Security on the CAM, this don't work very well.
I need allow two mac-address for interface, one workstation and one phone.
The first User is authenticated and placed in the correct VLAN according to the group. Total MAC Addresses increases the workstation and the phone correctly.
Switch#sh port-security interface gigabitEthernet 1/24
Port Security                          : Enabled
Port Status                            : Secure-up
Violation Mode                       : Shutdown
Aging Time                            : 0 mins
Aging Type                            : Absolute
SecureStatic Address Aging   : Disabled
Maximum MAC Addresses     : 2
Total MAC Addresses            : 2
Configured MAC Addresses    : 0
Sticky MAC Addresses          : 0
Last Source Address:Vlan      : fcfb.fbca.2c65:89
Security Violation Count         : 0
After if I:
- change of user
- bounce the interface
- plug another workstation on interface
Anything happens, and port remains on Access VLAN.
Somebody Know How Can I fix this problem?
Regards

Could you please elaborate on your question? I don't understand what's exactly the problem.

Similar Messages

  • Switchport port-security on Routers ?

    Hi All,
    Wanting to restrict LAN ports on a 857 router to particular MAC addresses.
    But the router doesn’t support the switchport command at all.
    So tried on 1800 series and though it does support "switchport”, it doesn’t support "switchport port-security"
    Is there a particular router model that does or any other way around implementing a solution where if a rogue device plugs into the router the port shuts down?
    thanks,
    Ivan

    Hi,
    Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
    HTH
    Sundar

  • SG-500-28P How to configure switchport port-security violation setting

    Is there a way to do switchport port-security violation {protect | restrict | shutdown} in SG-500-28P in case of a BPDU Guard violation?
    Seems like the default option is shutdown and I don't know how to change it.
    Thank you!

    Hi,
    you can recover this Violation.By using below command:
    To enable automatic re-activation of an interface after an Err-Disable shutdown, 
    use the errdisable recovery cause Global Configuration mode command. To 
    disable automatic re-activation, use the no form of this command.
    Syntax
    errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
    stp-bpdu-guard | loopback-detection | udld }
    no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | 
    stp-bpdu-guard | loopback-detection | udld }
    For more information:
    Refer this URL:page no :406
    http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/Sx500/cli_guide/CLI_500.pdf
    regards
    Moorthy

  • Switchport port-security maximum

    I have a 4510R switch, ((cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1)).
    I´m configuring the port-security maximum using the following commands:
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    I dont know why some times this work, some times do not work.
    to solve the issue I had to use the three commands:
    switchport port-security maximum 2
    switchport port-security maximum 1 vlan access
    switchport port-security maximum 1 vlan voice
    the documentation do not say nothing about if I have to use the three commands together.

    Hi,
    This is an excerpt from the Configuration Guide for your box and IOS-XE release:
    Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum. Also, the number of addresses secured on the port across all VLANs cannot exceed a maximum that is configured on the port.
    The default "switchport port-security maximum" value for the port is "1". So unless you change this value to "2" your port can sense max. 1 MAC address in either vlan "access" or "voice" ONLY without triggering violation. This means that the total maximum number of MAC addresses allowed  per all configured vlans per port equals ONE at the default only.
    I hope my English makes sense.
    Best regards,
    Antonin

  • [switchport port-security mac ] on [interface VLAN n?]

    Hello,
    did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
    I don't have the material to make that test, and I am not sure if it works or not.
    Many thanks!

    Hi,
    Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
    HTH
    Sundar

  • Port Security Sticky Addresses

    Does anyone know if there is a way to automatically clear the mac address on a switchport that has port security sticky addressing enabled. I have the following configured on the port(s):
    switchport mode access
    switchport port-security
    switchport port-security aging time 1
    switchport port-security aging type inactivity
    switchport port-security mac-address sticky
    spanning-tree portfast
    I can't get it to release the sticky mac-address after the minute of inactivity. As soon as I try to connect another device to the port after the required inactivity, the port goes into an err-disabled state because it still sees the mac of the old device. Any help is appreciated. This is on a Catalyst 2950G switch.
    Josh

    It is not possible to age out sticky entries.  With sticky entries, they are added to the running config.  So the only way to remove it is through editing the running config....  If you enter the "no switchport port-security mac-address sticky" interface command, then the mac addresses will be learned dynamically, and will be aged out after 1 minute of inactivity, per your config ...

  • CAM aging time VS Port-security aging time

    Hi All
    Please advise on the following:
    - Without port-security configured, MACs per interface are learnt as "Dynamic" entries and the global CAM aging timer applies (300 seconds) unless tweaked manually.
    - With switchport port-security enabled (without port-security mac-address sticky, which holds onto MACs infinitely) I see MACs being learnt as "Secure-Dynamic" in a show port-security interface gix/x output and as "Static" in the output of show mac address-table interface gix.x .
    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too? as I see their is also a option to configure port-security mac-address aging time / type, does this overrule / take precedence over the default CAM aging timer?
    Please assist, its not documented anywhere and its driving me a bit nuts!
    Thanks folks

    What I want to know is if JUST port-security is applied (without mac-address sticky) do the default CAM aging timer of 300 seconds get applied to these MACs too?
    Any aging time you configure with port security will take precedence over the default aging time.
    See this thread for details -
    https://supportforums.cisco.com/discussion/11054341/switchport-port-security-commands-help
    Jon

  • Recommended port-security settings for ASA HA failover

    I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
    interface GigabitEthernet0/8
    description ASA-Primary-Out
    switchport access vlan 200
    switchport mode access
    switchport port-security maximum 2
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 500
    no cdp enable
    spanning-tree portfast
    spanning-tree bpduguard enable
    Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
    %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
    I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

    Hello,
    This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
    Per the port-security config guide:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391
    "...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
    Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
    -Mike

  • Packet drops on 2960 with port-security enabled

    Hello,
    We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:
    switchport port-security maximum 10 switchport port-security switchport port-security aging time 1 switchport port-security violation restrict switchport port-security aging type inactivity
    There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:
    Port Security              : EnabledPort Status                : Secure-upViolation Mode             : RestrictAging Time                 : 1 minsAging Type                 : InactivitySecureStatic Address Aging : DisabledMaximum MAC Addresses      : 10Total MAC Addresses        : 0Configured MAC Addresses   : 0Sticky MAC Addresses       : 0Last Source Address:Vlan   : 0011.aabb.ccdd:11Security Violation Count   : 0
    When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.
    I have found similar reports and bugs for the 2950 and 3750:
    https://supportforums.cisco.com/thread/163910
    https://supportforums.cisco.com/message/89560
    https://tools.cisco.com/bugsearch/bug/CSCeg63177
    https://tools.cisco.com/bugsearch/bug/CSCec21652
    Is there anything we can do to fix this?
    Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)
    Thank you.

    Hi Alioune,
    This is expected behaviour on the Nexus 1000v Ethernet interfaces when the uplinks are configured with MAC pinning.
    When using MAC pinning there's no special configuration of the ports on the upstream physical switches and so any broadcast packets are sent by the upstream switches on all uplinks towards the Nexus 1000v switch.
    On each VEM of the Nexus there's one uplink interface that is chosen as the Designated Receiver for broadcast traffic, and the function of the DR is to forward received broadcast traffic to VMs within the VLAN. The broadcast traffic received on any other uplinks of the VEM i.e., those that are not the acting as DR, drop the received broadcast traffic on ingress to the VEM.
    The drops you're seeing on the uplink interfaces are almost certainly the broadcast traffic being received on one or more non DR uplinks.
    Regards

  • Implementing port security

    i have about a dozen2960 that i wish to implement port security. Some users tend to bring their own router and cause mayhem to the network. I've tried DHCP snooping, dont seem to work and port security testing on a few ports work well.
    What are the recommended steps? All are connected with users and all ports are already in use.
    - Some ports already have a few mac address in the tables thus i cant say do a across the board implement say "switchport port-security maximum 3".
    - It's tedious to go switch by switch, port by port
    - Any mechnism that can convert sticky to static with "switchport port-security mac-address sticky" first then convert them to static since the network is ok now.

    The poster above raised some excellent points about an "IT Acceptable Policy". I wouldn't want people allowed to bring in random network eqiupment just plugging it in all willy nilly.
    With DHCP Snooping, you need to understand, that all ports will be untrusted by default. So you need to make sure the only ports that are trusted are trunk ports, that lead to a DHCP server, and the port connected to the DHCP server. Also, you may or may not have to deal with Option 82, which you have two options. You can either turn if off from being checked at the router, or instruct the switch to not install the option to being with in DHCP Discover packets.
    When you enable DHCP Snooping, this will create teh DHCP Snooping database, which will keep track of the DHCP assigned IP address, and the MAC address assigned to each port.
    If you have users who bring in their own switches, find out who they are, and just watch the MAC addresses associated with the port, and then you can adjust port security appropraitely.
    It sounds like you may have a hard time, since they don't seem to really care about security at this place.
    Personally, if it were me, all ports would have BPDU Guard that should, at a minimum. You can always setup 'errdisable recovery' to deal with the recovering of ports that have been disabled automatically.

  • Scope of port security

    Hi,
    I experienced a scenario recently where port security was enabled on a switch allowing 3 mac addresses on a port with sticky, The physical setup was Switch>>media converter>>IP phone>>Laptop.
    Port one had this equipment already in situe and we wanted to add another laptop to the domain,
    We connected a 2nd laptop to port one and successfully joined the domain.
    We did not setup port security on port 2. Uppon conencting a new IP phone to port 2, and then moving the 2nd laptop to port 2 also, the phone worked but laptop 2 did not.
    We found that for the laptop to work on port 2 we had to flush port 1.
    My question is.. Is this default behaviour? may a mac address only exist on one port as far as port security in concerned? or might the use of the media converter stopped the port from recognising the disconnection of the laptop perhaps?
    Cheers
    Dave

    Hi David Imrie
    You have to check the configuration of your switch interface, probably  a switch's  port dynamically learned a MAC address with the “switchport port-security mac-address sticky” command and does not allow another port learn the MAC address, I recommend you to use the  “mac-address-table static 0000.1111.2222 vlan x interface fastethernet 0 / x”  command to be assigned statically.
    You should also check that the “switchport port-security” command is configured on each interface of the switch, because without that no “port-security command” will work.
    IP phones sometimes have multiple MAC addresses assigned, and sometimes this causes problems with networks like yours >> Switch >> IP phone media converter >> Laptop. To solve this problem, change the maximum allowed MAC addresses, adding one to the maximum allowed
    For example if the maximum is 2,  change to 3
    Switchx (config-if) # switchport port-security maximum 2.
    Switchx (config-if) # no switchport port-security maximum 2.
    Switchx (config-if) # switchport port-security maximum 3.
    If these solutions do not fix your problem, send me your switch configuration or
    If this answer was satisfactory for you, please mark the question as Answered.
    Thank you
    Greetings, Johnnatan Rodriguez Miranda.

  • Enable port security between Two switches

    Hi Everyone,
    I connected two switches together  via below config
    Switch A
    int gi0/1
    switch mode access
    switchport access vlan 10
    Switch B
    int gi0/1
    switch mode access
    switchport access vlan 10
    They work fine with above config.
    I did the Test below
    However when i changed Config of Switch B  as below
    int gi0/1
    switch mode access
    switchport access vlan 10
    switchport port-security  
    Switch B is unable to ping its default gateway.
    Also Switch B is not reachable via SSH.
    Port is up up and in STP forwarding state.
    Switch B can see Switch A as a neighbour.
    Also Switch B is not reachable via SSH.
    I know that switchport port-security we use only when connecting to PC.
    S does this mean that  on above scenario layer 1 and layer 2 are up but layers beyond 3 and above are not reachable like ping,ssh etc??
    Regards
    MAhesh

    I was just trying to see how the switches behave with this config.Nothing much just  exploring the options in the network world
    Ideally if you want to connect two switches together in Layer 2, Dot1Q trunking is the way to go.  You do not want to put port security because it is useless. 

  • 3550 port-security

    i've managed to set up port security and i need to lock the ports down by one mac well after going through each port step by step all the mac's are in the table but it shows them as dynamic address's i thought they were supposed to be static secure? i also thought that setting up port security would make so if someone changed ports on the switch that it would cause a security violation i havent been able to create a security violation yet.

    Hi,
    How have you configured this on your switch ports, all you need to do to restrict the port to a single MAC address is:
    switchport port-security
    switchport port-security violation restrict
    When you look at the CAM table for a specific port, the MAC address learned on that port should be listed as static and not dynamic.
    my_switch#sh mac-address-table int fa 2/0/7
    Mac Address Table
    Vlan Mac Address Type Ports
    134 0003.47a4.db43 STATIC Fa2/0/7
    Total Mac Addresses for this criterion: 1
    EDIT: You can also issue the following command:
    my_switch#sh port-security int fa 2/0/7
    Port Security : Enabled
    Port Status : Secure-up
    Violation Mode : Restrict
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 1
    Total MAC Addresses : 1
    Configured MAC Addresses : 0
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 0003.47a4.db43:134
    Security Violation Count : 0
    This shows the max allowed MACs on the port, the MAC that has been allowed and the port status as Secure_up
    I believe that's all you need to do.
    HTH
    Paddy

  • Port security detecting two MACs on 1 machine.

    I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:
    Version 12.1(19)EA1
    switchport mode access
    switchport port-security
    switchport port-security maximum 1
    switchport port-security violation shutdown
    switchport port-security mac-address sticky
    I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.
    Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.
    Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.
    Anybody ran into this before?
    Thanks.
    Brett

    After a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.
    interface FastEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security violation restrict
    switchport port-security mac-address sticky
    switchport port-security mac-address sticky 00e0.988a.7ee6
    no ip address
    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
    (Count) (Count) (Count)
    Fa0/1 1 1 3 Restrict
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 5463.0007.eb9e on port Fa0/1.
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address
    2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by
    MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address
    Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.
    Thanks for the response Thomas.

  • Port Security - CMS

    I am using CMS on a 3550 to implement Port Security. I want to know how to clear the Violation Rejection count? I have tried changing the Violation, turned off Sticky Behavior and disabled Port Security. Nothing clears the Violation count. When I re-enable Port Security the Violation Rejection count is the same. Help!!!

    Duplicate post. 
    Go HERE.

Maybe you are looking for

  • R835 P56X USB 3 problems

    I have my R835 running nice now with Crucial M4 SSD, 8 gigs ram, 6230 wifi and the latest Bios & drivers.  But, whenever I use the usb3 port to transfer files from or to my usb3 supported external drive, it starts out fast but then comes to a screach

  • Unable to create Oracle BAM Sinks in Design Studio on Windows XP Profession

    Hi, I am unable to create any Oracle BAM Sink in Design Studio. I am getting this error, when trying to drag BAM Sink to my plan: Failed to create the Transform COM object. [Oracle BAM Enterprise Link error code:  DC -- 0x1, DC -- 0x5B] Problem in st

  • TS3775 imac 2011 target display mode

    i am trying to use my mid 2011 imac as an external display for a pc. i have a graphics card in my pc that supports mini display and hdmi. if i get a thunderbolt to hdmi cable, will this do the trick?

  • Can I leave an iPhone 5c on charge all night?

    Hi, I have recently purchased an iPhone 5C and just have a few questions. Does the phone have to be powered on for the alarm to go off? If so, can I leave the phone on charge all night so my alarm will go off in the morning without causing any harm t

  • NiceScroll integration problems! Advice please

    Dear all I have been doing my best to get niceScroll implemented in Edge Animate. Though it has bugs and undesired effects! # I'm using the latest Edge Animate # I am loading this Edge Animate composition in a fancy box Iframe from within another Edg