Solved

static mac address is stuck on a port

Posted on 2014-03-10
9
2,196 Views
Last Modified: 2014-03-15
Hi all,

I have some Cisco 2975 as access switch running on the floors. Before implementing 802.1x, we were able to move PC from one office to another without doing anything else.

After we implemented 802.1x, the mac address of PC tended to get stuck on a port. The new port that the PC is connected to does not learn the mac address of the PC. This issue might not have anything to do with 802.1x, but this all started after we implemented 802.1x so I am blaming it.

I tried to remove the static mac address of the PC from the old port by using the no mac-address table static without any success.

I was running 12.2 (46) before. opened up an ticket with Cisco, they said it might be a bug with the version and suggested to upgrade the switch to 12.2 (55). After the upgrade, I enabled authentication mac-move. but it doesn't do anything and the issue persisted.

For now, the only solution is to switching the cable every time a PC is moving from one office to another.

Do you guys have the same issue and any solutions to it?

thanks,
MT
0
Comment
Question by:tmatty102
  • 4
  • 3
  • 2
9 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918015
Hi,

Please provide us the port configs, did you configured mac security ?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39918033
Do you have port security turned on?

Example:

interface GigabitEthernet5/1
 description Gi5/1
 switchport access vlan 300
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 2
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 switchport port-security mac-address sticky xxxx.xxxx.xxxx
 spanning-tree portfast
end
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 39918042
In this case you need in the ena mode:

clear port-security dynamic
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:tmatty102
ID: 39918047
port security is not configured on the port.

below is an example of the port configuration..

interface GigabitEthernet1/0/33
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 110
 no logging event link-status
 power inline consumption 7200
 authentication event fail action authorize vlan 99
 authentication event no-response action authorize vlan 99
 authentication host-mode multi-domain
 authentication port-control auto
 authentication violation protect
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x max-reauth-req 3
 spanning-tree portfast
end
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 500 total points
ID: 39918105
Refer to http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2975/software/release/12-2_52_se/command/reference/cr/cli1.html

Specifically for the following:

authentication port-control auto
authentication violation protect

This is basically port security under Dot1x

You may want to verify that someone didn't turn off the MAC move

authentication mac-move permit

Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the no form of this command to return to the default setting.

authentication mac-move permit

no authentication mac-move permit

Syntax Description

This command has no arguments or keywords.

Defaults

MAC move is enabled.
0
 

Author Comment

by:tmatty102
ID: 39918118
Hi pony10us,

Thank you for the info, I have those that you mentioned enabled on the switch already. This include authentication mac-move permit, authentication port-control auto, and authentication violation protect

Thanks though.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39918164
I didn't include the rest but it appears to be related to the 802.1x as you mentioned originally:

"MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs. "
0
 

Accepted Solution

by:
tmatty102 earned 0 total points
ID: 39918674
The problem seems to be related to the authenticated session and I have found the solution.

The solution is to use authentication violation replace  instead of protect

I think it's because I did not figure a timeout for a session or re-authenticate after a certain period, the session took place at first does not get expired and when a new device is plug into the interface, the port-control protect the interface by not allowing the new mac address to be learned.

With authentication violation replace,  the switch will accept the new mac address, go through the authentication process and replace the old mac address on the interface if the device get authenticate successfully.

Note: This option does not available prior to IOS version 12.2 (55)
0
 

Author Closing Comment

by:tmatty102
ID: 39931107
My comment was the final solution for question I asked.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question