3750 port security issue

[cormon]

hi lads ,

we are using port security with a maximum of 10 mac-addresses specified . WE are also using the sticky feature to aid the configuration. Everything is on one vlan in the organization. Heres the problem when we take a laptop from a port int a different department up to the I.T department and plug it into one of our ports , it doesn't work . The new port dosen't go into an err-disable state and if we try to specific the mac address on the new port port we get "Mac address already exists . The mac-add is under the old port , when we remove the entry from the old port it works any ideas . 3750 stack running 12.2(25) SEB4.

Is this possible to do with port security

Thanks in advance.

Kevin

 

[cormon]

here is the configuration as you can see the time and aging action have been specifed but it dosent work. Is there something we are missing here or is this a possible issue with the cam table and aging mac addresses timer on the interface .

Any ideas would be great....




interface FastEthernet4/0/27
switchport mode access
switchport port-security
switchport port-security maximum 10
switchport port-security aging time 6
switchport port-security aging type inactivity
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky 000b.cdf7.2748
switchport port-security mac-address sticky 0012.79be.d781
switchport port-security mac-address sticky 0015.60bb.a189
switchport port-security mac-address sticky 00b0.d018.0034
switchport port-security mac-address sticky 00c0.9f76.7e83
switchport port-security mac-address sticky 00c0.9f76.7ea5
spanning-tree portfast
spanning-tree bpduguard enable

to reiterate we are trying to get the 0012.79be.d781 to work on a different port but because it is attached the origial port it dosent work on the new port.
Thanks in advance

 

[cormon]

I believe I've figured it out , you dont appear to be able to use the sticky command under the interface and also the aging-time comand .
When the sticky command is removed the time out works fine , although you can type in both commands the timeout will never work because the sticky command copies the mac address to the config .

 

[kcbell]

Cormon:

I have older switches and don't know what the function of the sticky command but I have the following comment on Port Security.

You should not configure 10 as the allowable mac for a port that you have port security configured. The reason we use port security is to block another unknow host connect to the port and be able to access the network. We use "1" as the allowable mac. If we know a hub is connected to a port with a host and a printer, we use "2". We also lock the port if it generated an address-violation. For example: someone unplugged the desktop and and plugged in a laptop then we would ask them what had they done to create this violation before we reset the port.

It is a little more work but it is bettwe safe then sorry!

KCBell

 

[burtsbees]

Doesn't the sticky command make you plug into the same port every time, as if it were a workstation?

Burt

 

[cormon]

yes it does , so in the case where I want to take a pc up to the I.T department and plug it in the network for repair , the original port can not have the sticky command enabled as the switch wont let you connect it into another port as the original port has the mac-address attached by use of the sticky command. I got around this by using a switchport port security aging 5 command so the original port flushed the mac address and allowed me to plug it in somewhere else.


Thanks
Kevin.