cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1926
Views
0
Helpful
6
Replies

SG550X Stack, Port Security with Max-Addresses

llo!

 

We're facing some issues regarding Port Security with Max-Addresses on a SG550X stack with 3 switches.

 

#sh ver
Active-image: flash://system/images/cbs350_2.5.7.85.bin
Version: 2.5.7.85
MD5 Digest: e766e20b0d080a72db3ec00888d595a0
Date: 18-Jan-2021
Time: 21:15:01

 

#sh inventory

NAME: "1" DESCR: "SG550X-48P 48-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-48P-K9 VID: V04 SN: *************


NAME: "2" DESCR: "SG550X-48P 48-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-48P-K9 VID: V04 SN: *************


NAME: "3" DESCR: "SG550X-24P 24-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-24P-K9 VID: V04 SN: *************

 

Client access ports are configured with smart port type "ip_phone_desktop" and with "port security mode max-addresses" (max. of 10). On some of them phones and clients are connected, on some only clients and printers.

 

#sh run interface GigabitEthernet1/0/1

interface GigabitEthernet1/0/1
description "IP-Phone Desktop"
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
macro auto smartport type ip_phone_desktop

 

#sh port security gig 1/0/1

Port status Learning Action Maximum Trap Frequency
--------- ---------- --------------- ---------- --------- -------- ----------
gi1/0/1 Enabled Max-Addresses Discard 10 Enabled 60

 

After a few days clients cannot connect to the network any more, because the count of learned mac addresses on these ports reaches the maximum of 10. But there was no change in the devices connected to the ports.

 

#sh ports security addresses gig 1/0/1

Port status Learning Current Maximum
------- -------- --------------- ---------- ----------
gi1/0/1 Enabled Max-Addresses 10 10

 

Problem occurs on all kinds of port assignment (one phone with one client, phone only, client only).

Workaround at the moment is to disable and reenable port security facing this problem to clear the mac address count.

 

Help would be appreciated to keep port security active for the clients. Otherwise we have to disable port security completely what we want to avoid due to security reasons.

 

Thank you and Best Regards,

Chris

6 Replies 6

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

what you see MAC address table ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello!

 

Forget to say, in the mac address table we can see only the 1 or 2 devices connected to the port. No other MACs are listed.

 

#show mac address-table interface gig1/0/1
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1 00:0f:bb:18:9c:fd gi1/0/1 dynamic

 

I think the problem is, that only the counter of the current learned addresses for port security rises although there are no new addresses connected to the port.

 

BR,

Chris

thank you for the information, and you mentioned even though 1 MAC address, this port stop working isnt it ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Christian Woegerbauer