 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 3 Oct 2007 15:28:48 -0400 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Greg,
It sounds like you are not using the mac-notification SNMP trap. The
switch will send out this trap whenever there is a change in the mac
addresses on a switch port.
The port configuration should have a "snmp trap mac-notification added"
line.
Your config should have a line like:
snmp-server host <CAM IP> version 2c <Community> mac-notification snmp
Bruce Osborne
Liberty University
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Greg Fuller
Sent: Wednesday, October 03, 2007 3:18 PM
To: [log in to unmask]
Subject: [CLEANACCESS] Edge Switch Interface Configs - Aging?
We completed a mostly successful (still a few lingering issues) to Clean
Access in late August (just as students were returning to campus!).
Students seem to be mostly pleased with it as it is MUCH easier for them
to get connected than our old home-grown custom solution was.
How are others dealing with students who plug their laptop into a
friends
room down the hall? We are using all Cisco 3550 switches, with a 5 port
HUB connected in each Res Hall room (we only have 1 data jack per
room.......sigh). So here's what I'm seeing. Student is in room X.
They
want to go visit with their friend in room A. Student unplugs the
laptop
from the HUB in room X and plugs into the HUB in room A. They can't
pickup an IP from Clean Access. The switch still knows the students
laptop is connected in room X and port-security blocks the MAC address
in
room A. Default MAC aging is "absolute", so until the switch interface
goes down (ie: student unplugs the HUB) the MAC address will always show
up on that switchport. BTW - doing a "clear mac-address-table dynamic
xxxx.xxxx.xxxx" won't actually remove the MAC from the port.
It looks like we are running into a MAC aging issue....Without having
them
run down the hall to unplug the HUB, I've been temporarily changing the
MAC aging time on the switchport in room X to 1 min inactive and it
clears
after 1 minute. The student will then work in room A.
Does anyone else have HUBs connected in their Res Hall rooms? What does
your switch interface config look like? Here's a rundown of my basic
setup for the switches:
ip dhcp snooping vlan 132,136,139-140,144,148,150,152,156,160,172
ip dhcp snooping database flash://snoop.dat
ip dhcp snooping
int fa0/xx
switchport access vlan 136
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security violation restrict
ip access-group RES-BLOCK-IN in
speed 10
duplex half
storm-control broadcast level 10.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source port-security
ip dhcp snooping limit rate 30
I'd like to try setting the MAC aging on each port to something like
this:
switchport port-security aging time 5
switchport port-security aging type inactivity
But I'm not sure 5 minutes is too long/too short. What will happen with
the Clean Access Agent when the switch doesn't see any packets from the
client after 5 minutes and the switch removes the MAC address from the
interface?
I guess I'm just looking for how others have their switch interfaces
configured, aging time and why you picked that timeout value, if your
using HUBs, etc.
--greg
|
|
|
