As far as I know there should not be an issue with port security and mac notification, unless there is a switch bug (which should be fixed). I'll get the documentation fixed.
Thanks -Alok -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Jeremy Wood Sent: Tuesday, January 20, 2009 7:14 AM To: [email protected] Subject: Re: How do you detect Internet Connection Sharing? I had always assumed that because the CAM documentation stated that port security was only supported with link-up notification that there was some backend voodoo that went on.....I have never actually tried it. This is awesome information though, I'll be putting this into testing ASAP! --Jeremy On Tue, Jan 20, 2009 at 09:32, Calvin Krzywiec <[email protected]> wrote: > Jeremy, > > We use port security along with mac-notification on our Cisco 3560's > [running 12.2(40)SE] without a problem. I'd be curious as to what > problems you have seen using the two together. > > Sample config: > > interface FastEthernet0/10 > switchport access vlan <auth vlan> > switchport mode access > switchport port-security > switchport port-security aging time 2 > switchport port-security violation restrict > switchport port-security aging type inactivity > ip arp inspection limit rate 15 burst interval 10 > snmp trap mac-notification change added > no cdp enable > spanning-tree portfast > spanning-tree bpduguard enable > ip verify source > ip dhcp snooping limit rate 50 > ! > > > Thanks, > > -- > Cal A. Krzywiec > Network Engineer > The University of Scranton > Phone: (570) 941-6748 > Email: [email protected] > > > > Jeremy Wood wrote: >> We have this enabled on our access switches too but unfortunitly it >> only stops 'smart switches' that use STP. Switches that don't do STP >> (yes they are out there) and hubs will still work. The only real way >> to stop this is enabling port security on each port as that will >> prevent more than one MAC from being used on the port, but it will not >> work with Mac-Notification :( >> >> Personally, I have been addressing this on a case by case basis >> (shutdown the port and let our helpdesk know) because it isn't a huge >> issue yet but I've been trying to figure out ways to automate the >> process so that I can waste less time on it. >> >> --Jeremy >> >> On Mon, Jan 19, 2009 at 23:00, Bruce Hodge <[email protected]> wrote: >> >>> I dont know if you guy's worked this one out but >>> we just do it at the switch with >>> >>> spanning-tree bpdufilter enable >>> >>> If there is more than one MAC it turns the port off. >>> >>> to >>> Bruce Hodge >>> Senior Communication Specialist >>> University of Newcastle >>> Australia >>> >>> >
