Wired Intelligent Edge

Hi all,

I have a customer with the following interface configuration on their AOS-CX switches:

interface 1/1/30
    no shutdown
    no routing
    vlan access 100
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    no cdp
    loop-protect
    exit

But when a dumb switch is connected to the port, it never shuts down. They want to ensure only a single MAC address is permitted. Which is the default value when no limit is specified.

There are currently 12 MAC addresses connected to that port:

And I also get the following message using the verification commands:

show port-access port-security interface 1/1/30 port-statistics
Port-security is not configured.

show port-access port-security interface 1/1/30 client-status
Port-security is not configured.

What am I missing?

There is a command to enable port-access port-security globally, but the documentation doesn't say anything about enabling this first - in fact, I would rather not enable it globally and have to remove it from the interfaces that don't require it.

I logged a TAC case, and despite the documentation suggesting that the feature can be enabled globally or at the port level, the command is required at the global level.

At least in firmware version 10.10.1010, enabling it in the global context allows you to configure it at the port level. There is no way to enable the command on all ports without entering config on the individual ports.

Hi all,

I have a customer with the following interface configuration on their AOS-CX switches:

interface 1/1/30
    no shutdown
    no routing
    vlan access 100
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    no cdp
    loop-protect
    exit

But when a dumb switch is connected to the port, it never shuts down. They want to ensure only a single MAC address is permitted. Which is the default value when no limit is specified.

There are currently 12 MAC addresses connected to that port:

And I also get the following message using the verification commands:

show port-access port-security interface 1/1/30 port-statistics
Port-security is not configured.

show port-access port-security interface 1/1/30 client-status
Port-security is not configured.

What am I missing?

There is a command to enable port-access port-security globally, but the documentation doesn't say anything about enabling this first - in fact, I would rather not enable it globally and have to remove it from the interfaces that don't require it.

Hi Brett.

I agree that documentation about enabling the port security feature is not very clear about this global/per port settings.

As I read it You need to enable "port-access port-security enable" globally to tell the switch to activate the feature. Then you need to configure each individual port where you would like to have the port-security policy/features enabled. If no features are enabled on port, this port will not use any port-security features.

Best, Gorazd   

I logged a TAC case, and despite the documentation suggesting that the feature can be enabled globally or at the port level, the command is required at the global level.

At least in firmware version 10.10.1010, enabling it in the global context allows you to configure it at the port level. There is no way to enable the command on all ports without entering config on the individual ports.

Hi all,

I have a customer with the following interface configuration on their AOS-CX switches:

interface 1/1/30
    no shutdown
    no routing
    vlan access 100
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    no cdp
    loop-protect
    exit

But when a dumb switch is connected to the port, it never shuts down. They want to ensure only a single MAC address is permitted. Which is the default value when no limit is specified.

There are currently 12 MAC addresses connected to that port:

And I also get the following message using the verification commands:

show port-access port-security interface 1/1/30 port-statistics
Port-security is not configured.

show port-access port-security interface 1/1/30 client-status
Port-security is not configured.

What am I missing?

There is a command to enable port-access port-security globally, but the documentation doesn't say anything about enabling this first - in fact, I would rather not enable it globally and have to remove it from the interfaces that don't require it.

Hi all,

I have a customer with the following interface configuration on their AOS-CX switches:

interface 1/1/30
    no shutdown
    no routing
    vlan access 100
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    no cdp
    loop-protect
    exit

But when a dumb switch is connected to the port, it never shuts down. They want to ensure only a single MAC address is permitted. Which is the default value when no limit is specified.

There are currently 12 MAC addresses connected to that port:

And I also get the following message using the verification commands:

show port-access port-security interface 1/1/30 port-statistics
Port-security is not configured.

show port-access port-security interface 1/1/30 client-status
Port-security is not configured.

What am I missing?

There is a command to enable port-access port-security globally, but the documentation doesn't say anything about enabling this first - in fact, I would rather not enable it globally and have to remove it from the interfaces that don't require it.

Hi all,

I have a customer with the following interface configuration on their AOS-CX switches:

interface 1/1/30
    no shutdown
    no routing
    vlan access 100
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    no cdp
    loop-protect
    exit

But when a dumb switch is connected to the port, it never shuts down. They want to ensure only a single MAC address is permitted. Which is the default value when no limit is specified.

There are currently 12 MAC addresses connected to that port:

And I also get the following message using the verification commands:

show port-access port-security interface 1/1/30 port-statistics
Port-security is not configured.

show port-access port-security interface 1/1/30 client-status
Port-security is not configured.

What am I missing?

There is a command to enable port-access port-security globally, but the documentation doesn't say anything about enabling this first - in fact, I would rather not enable it globally and have to remove it from the interfaces that don't require it.