Solved

static mac address is stuck on a port

Posted on 2014-03-10
9
1,972 Views
Last Modified: 2014-03-15
Hi all,

I have some Cisco 2975 as access switch running on the floors. Before implementing 802.1x, we were able to move PC from one office to another without doing anything else.

After we implemented 802.1x, the mac address of PC tended to get stuck on a port. The new port that the PC is connected to does not learn the mac address of the PC. This issue might not have anything to do with 802.1x, but this all started after we implemented 802.1x so I am blaming it.

I tried to remove the static mac address of the PC from the old port by using the no mac-address table static without any success.

I was running 12.2 (46) before. opened up an ticket with Cisco, they said it might be a bug with the version and suggested to upgrade the switch to 12.2 (55). After the upgrade, I enabled authentication mac-move. but it doesn't do anything and the issue persisted.

For now, the only solution is to switching the cable every time a PC is moving from one office to another.

Do you guys have the same issue and any solutions to it?

thanks,
MT
0
Comment
Question by:tmatty102
  • 4
  • 3
  • 2
9 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

Please provide us the port configs, did you configured mac security ?
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Do you have port security turned on?

Example:

interface GigabitEthernet5/1
 description Gi5/1
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 spanning-tree portfast
end
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
In this case you need in the ena mode:

clear port-security dynamic
0
 

Author Comment

by:tmatty102
Comment Utility
port security is not configured on the port.

below is an example of the port configuration..

interface GigabitEthernet1/0/33
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 no logging event link-status
 power inline consumption 7200
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation protect
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
end
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 500 total points
Comment Utility
Refer to http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2975/software/release/12-2_52_se/command/reference/cr/cli1.html

Specifically for the following:

authentication port-control auto
authentication violation protect

This is basically port security under Dot1x

You may want to verify that someone didn't turn off the MAC move

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Defaults

MAC move is enabled.
0
 

Author Comment

by:tmatty102
Comment Utility
Hi pony10us,

Thank you for the info, I have those that you mentioned enabled on the switch already. This include authentication mac-move permit, authentication port-control auto, and authentication violation protect

Thanks though.
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
I didn't include the rest but it appears to be related to the 802.1x as you mentioned originally:

"MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs. "
0
 

Accepted Solution

by:
tmatty102 earned 0 total points
Comment Utility
The problem seems to be related to the authenticated session and I have found the solution.

The solution is to use authentication violation replace  instead of protect

I think it's because I did not figure a timeout for a session or re-authenticate after a certain period, the session took place at first does not get expired and when a new device is plug into the interface, the port-control protect the interface by not allowing the new mac address to be learned.

With authentication violation replace,  the switch will accept the new mac address, go through the authentication process and replace the old mac address on the interface if the device get authenticate successfully.

Note: This option does not available prior to IOS version 12.2 (55)
0
 

Author Closing Comment

by:tmatty102
Comment Utility
My comment was the final solution for question I asked.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now