Cisco – Allowing a device blocked by port-security

ciscomac addressswitch

Lets say I have port security configured on a switch's ports like this:

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Et0/2              1            1                  0         Shutdown
---------------------------------------------------------------------------

And also that I use sticky to allow all connected devices.

Now lets say an admin unplugs the computer that was plugged into a port and plugs in another one. The switch port shutdowns as expected. Now the admin calls and asked that the currently connected computer be allowed access. What is the proper way to allow access to that computer?

I ran sticky again on that specific interface and did a no shut, but it is still shutdown. Do I need to completely disable and re-enable port-security on that interface to allow the new device?

Edit: Well I found that running the sticky command again like i did, didn't actually change to the new MAC. so I did a no…sticky to remove the old MAC, ran the sticky command, then did a no shut. But now the interface is still shutdown and when I do a show run the new MAC isn't listed under the interfaces port-security config.

I know completely disabling and re enabling port security would do this i just wanted to know if there's a better way. the scenario I outlined for this question would be fairly common for environments with port-security configured.

Edit: OK so it looks like I had to run a "shutdown" command on the interface before the no shutdown.

So here's what my process will be for re-enabling a port for a new device:

(config-if)# shutdown
(config-if)# no switchport port-security mac-address sticky
(config-if)# switchport port-security mac-address sticky
(config-if)# no shutdown

Best Answer

If you want it to learn a new MAC and make it sticky you'll to remove the old one:
no switchport port-security mac-address mac_address in the relevant interface.

The docs here have some useful info but you might want to consult the docs your specific IOS version.

Related Solutions

Why did I have to clone the MAC address

You are likely running into problems because your Zoom X5 is still acting as a router (even with those features disabled). You should look online for instructions for setting the Zoom X5 in "Bridge Mode" which will cause it to act only as a DSL Modem. This will allow your DI-524 to handle the PPPoE connection as a router and everything should work as you expect.

This link may help: http://my.ruralnetwork.net/tech/setup/dsl_setup_zoom_5554A/zoom5554a_setup11.htm

As for why the MAC address worked, often DSL providers will filter on the MAC address of their DSL modem. In your case, Verizon may have accepted also your PC MAC address after you configured it also for PPPoE. My guess is that changing the MAC address on your DI-524 had little to do with the connection working. You're probably still going to have issues because you're essentially placing a router behind a router. Your best option is to change the Zoom X5 to bridge mode and let your DI-524 be the router.

Cisco – VLAN trunking between Juniper EX -> Cisco Catalyst -> and Cisco Router

You stated that ports 3 and 42 were configured on the Catalyst switch, but then provided configurations for ports 46 and 48. The configuration you posted for port 46 should be applied to port 3 that connects to the EX2200. Your router's connection is unchanged, so hopefully we can assume that configuration is fine.

Now, on the EX2200, the following lines of code would be appropriate to do the following:

ge-0/0/0 - trunk allowing the same vlans as defined above on port 46

ge-0/0/6 - access port on VLAN80

set vlans vlan80 vlan-id 80
set vlans vlan82 vlan-id 82
set vlans vlan83 vlan-id 83
set vlans vlan93 vlan-id 93
set vlans vlan289 vlan-id 289
set interfaces ge-0/0/0 description uplink-to-catalyst 
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan80
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan82
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan83
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan93
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan289
set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan80

Some other suggestions for you:

1) Turn on LLDP on your switch so you can do a show lldp neighbors and see where your connections go.

2) Don't use RSTP for spanning tree on the juniper switch, it doesn't play nice with Cisco that well, use VSTP instead. If you end up with a ton of vlans, you might even need to use MSTP.

3) Turn off chassis alarm for the management ethernet if you're not using it.

On the EX2200:

delete protocols rstp
set protocols vstp vlan all bridge-priority 4k
set protocols lldp interface all
set chassis alarm management-ethernet link-down ignore

On the Catalyst (if it supports it)

lldp run

Best Answer

Related Solutions

Why did I have to clone the MAC address

Cisco – VLAN trunking between Juniper EX -> Cisco Catalyst -> and Cisco Router

Related Topic