LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

October 2007

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS October 2007

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Edge Switch Interface Configs - Aging?
From:	Greg Fuller <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Wed, 3 Oct 2007 15:17:39 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (65 lines)

We completed a mostly successful (still a few lingering issues) to Clean 
Access in late August (just as students were returning to campus!).  
Students seem to be mostly pleased with it as it is MUCH easier for them 
to get connected than our old home-grown custom solution was.  

How are others dealing with students who plug their laptop into a friends 
room down the hall?  We are using all Cisco 3550 switches, with a 5 port 
HUB connected in each Res Hall room (we only have 1 data jack per 
room.......sigh).  So here's what I'm seeing.  Student is in room X.  They 
want to go visit with their friend in room A.  Student unplugs the laptop 
from the HUB in room X and plugs into the HUB in room A.  They can't 
pickup an IP from Clean Access.  The switch still knows the students 
laptop is connected in room X and port-security blocks the MAC address in 
room A.  Default MAC aging is "absolute", so until the switch interface 
goes down (ie: student unplugs the HUB) the MAC address will always show 
up on that switchport.  BTW - doing a "clear mac-address-table dynamic 
xxxx.xxxx.xxxx" won't actually remove the MAC from the port.  

It looks like we are running into a MAC aging issue....Without having them 
run down the hall to unplug the HUB, I've been temporarily changing the 
MAC aging time on the switchport in room X to 1 min inactive and it clears 
after 1 minute.  The student will then work in room A.  

Does anyone else have HUBs connected in their Res Hall rooms?  What does 
your switch interface config look like?  Here's a rundown of my basic 
setup for the switches:

ip dhcp snooping vlan 132,136,139-140,144,148,150,152,156,160,172
ip dhcp snooping database flash://snoop.dat
ip dhcp snooping
int fa0/xx
 switchport access vlan 136
 switchport mode access
 switchport port-security maximum 10
 switchport port-security
 switchport port-security violation restrict
 ip access-group RES-BLOCK-IN in
 speed 10
 duplex half
 storm-control broadcast level 10.00
 storm-control action trap
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip verify source port-security
 ip dhcp snooping limit rate 30


I'd like to try setting the MAC aging on each port to something like this:

 switchport port-security aging time 5
 switchport port-security aging type inactivity


But I'm not sure 5 minutes is too long/too short.  What will happen with 
the Clean Access Agent when the switch doesn't see any packets from the 
client after 5 minutes and the switch removes the MAC address from the 
interface?  

I guess I'm just looking for how others have their switch interfaces 
configured, aging time and why you picked that timeout value, if your 
using HUBs, etc.  

--greg

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU