This post is more than 5 years old
1 Rookie
•
16 Posts
0
18955
January 8th, 2014 14:00
Powerconnect 35XX port security
Hi. I'm trying to locate a CLI command that will allow me to quickly clear secure MAC addresses from a port secured with port security.
My interface configuration is pretty straight forward.
dot1x multiple-hosts
port sec max 2
port sec discard-shutdown
If I connect a different host than the original to the port it does as it should and trips port security. Now all is well, if I'm planning on reconnecting the original host. Issue the "set interface active ethernet eth#" global command and the port is back online. The problem arrives when I want to change the host. I have to completely remove the dot1x, and port security configuration[minus the max], "set interface active" and then re-add the dot1x/port security configuration to the interface.
Is there a way to quickly clear the secure addresses from the port so that new addresses can be learned?
Thanks in advance.
-Andrew
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.5K Points
0
January 9th, 2014 15:00
Try this command and see if it works. Console# dot1x re-authenticate ethernet 1/eXX
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.5K Points
0
January 8th, 2014 15:00
Hi Andrew,
The port security mode max-addresses command should clear the existing and start learning again. Page 122 in the manual ftp://ftp.dell.com/Manuals/Common/powerconnect-3524_Reference%20Guide_en-us.pdf
abpanda
1 Rookie
•
16 Posts
0
January 9th, 2014 14:00
Hi Josh,
Thanks for your response. Unfortunately the "max-addresses" command doesn't appear to solve my problem. Please confirm for me that I am interpreting the command correctly.
The "port security mode max-addresses" interface sub-command will delete any dynamic addresses and learn new addresses up to the defined max placing them secure as viewed with the "show bridge address-table ethernet eth#" command. Correct?
I need to be able to remove the old cached MAC from the interface and restore the interface without having to wait for the switch to forget the MAC. Even so I tried waiting for the MAC to age out and then restoring the interface and it still would disable the port.
Below was the port configuration
dot1x multiple-hosts
port sec max 2
port security mode max-adresses
port sec discard-shutdown
I went as far as manually deleting the MAC with the VLAN interface sub-command ,
"no bridge address H:H:H:H:H:H"
This deleted the MAC from the cache, but the switch still knew of it elsewhere, which I'm unable to locate with any CLI command.
Any ideas?
abpanda
1 Rookie
•
16 Posts
0
January 10th, 2014 06:00
Josh! That was it!
The re-authenticate command combined with "set interface active" brought the port back up and accepted the new MAC.
Thanks for the support :)
-Andrew
abpanda
1 Rookie
•
16 Posts
0
January 10th, 2014 06:00
One more question. Is there a way to view the MAC address that actually tripped the port? This would be useful if you had a MAC that was already cached to an interface and then moved and popped port security. it would allow me to easily clear the old port and the new port.
Nothing shows in the logg buffer.
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.5K Points
0
January 10th, 2014 07:00
The dot1x traps mac-authentication failure command should send traps when a MAC trips the security. Page 549 of the CLI guide
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.5K Points
0
January 10th, 2014 12:00
It may have been added in a later version and not documented, if you are able to update the firmware, we should try it and see if that adds the command. http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/powerconnect-3524?driverId=H0N05&fileId=2731101864&osCode=NAA
abpanda
1 Rookie
•
16 Posts
0
January 10th, 2014 12:00
Josh,
I'm not seeing the "dot1x traps" command. Currently running 2.0.040.