cisco 3560 MAC MOVE功能解决802.1x认证主机从交换机端口之间移动认证会话不断开问题

最近碰到的问题描述：

        交换机端口启用了802.1x功能，下接了hub或傻瓜交换机或无线AP，下连的笔记本电脑从一个端口移动到交换机的另外一个端口时，用show auth session可以看到其对应的认证会话还在原来的端口上。可以用clear auth session mac  mac-address命令将其清掉。

       但是在以后的运维过程中如果下接hub比较多的情况下，怎么办呢？不可能都上来清空session吧。考虑802.1x认证通信原理方面，重新查阅了cisco 3560交换机 802.1x认证部分中内容，可以通过802.1x mac move功能来解决。相关内容如下：

MAC Move

When a MAC address is authenticated on one switch port, that address is not allowed on another 802.1x port of the switch. If the switch detects that same MAC address 


on another 802.1x port, the address is not allowed.
当一个MAC地址在一个交换机端口上被认证后，这个地址不允许出现在其他的802.1x端口上。如果交换机检测到相同的mac地址在另外的802.1x端口上，地址不允许。


There are situations where a MAC address might need to move from one port to another on the same switch. For example, when there is another device (for example a hub 


or an IP phone) between an authenticated host and a switch port, you might want to disconnect the host from the device and connect it directly to another port on the 


same switch.
适合的场景：一个MAC地址或许从相同的交换机上移动一个端口到另外一个端口。例如(下接了hub或者IP phone)在认证主机和交换机端口，你或许想从设备上断开主机，直接连接到同一个交换机的另外一个端口上。

You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to a second port, the session on the first port is deleted, and 


the host is reauthenticated on the new port.
你可以全局的启用MAC move，以便使设备在新的端口上的重认证。当一个主机移动到第二个端口上，首个端口上的session被删除，在新的端口上主机被认证。




MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter which host mode is enabled on the that port.)
MAC move支持所有主机模式。认证主机可以移动到交换机的任何端口上，不管端口处于哪种主机模式。


Note MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 


802.1x-enabled port, a violation error occurs.
For more information see the "Enabling MAC Move" section.


注意：MAC move不支持处于802.1x端口上启用port-security的端口.如果mac move在交换机全局下被配置，一个端口安全启用的主机移动到一个802.1x启用的端口上，一个违例错误发生。


Enabling MAC Move


启用MAC MOVE
MAC move allows an authenticated host to move from one port on the switch to another.


MAC MOVE允许一个认证主机从交换机端口移动到另外一个端口。
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional.
配置步骤如下：


configure terminal
authentication mac-move permit
Enable
end

验证配置
show run

保存配置
copy running-config startup-config

This example shows how to globally enable MAC move on a switch:


Switch(config)# authentication mac-move permit