cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2744
Views
0
Helpful
6
Replies

SG550X Stack, Port Security with Max-Addresses

llo!

 

We're facing some issues regarding Port Security with Max-Addresses on a SG550X stack with 3 switches.

 

#sh ver
Active-image: flash://system/images/cbs350_2.5.7.85.bin
Version: 2.5.7.85
MD5 Digest: e766e20b0d080a72db3ec00888d595a0
Date: 18-Jan-2021
Time: 21:15:01

 

#sh inventory

NAME: "1" DESCR: "SG550X-48P 48-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-48P-K9 VID: V04 SN: *************


NAME: "2" DESCR: "SG550X-48P 48-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-48P-K9 VID: V04 SN: *************


NAME: "3" DESCR: "SG550X-24P 24-Port Gigabit PoE Stackable Managed Switch"
PID: SG550X-24P-K9 VID: V04 SN: *************

 

Client access ports are configured with smart port type "ip_phone_desktop" and with "port security mode max-addresses" (max. of 10). On some of them phones and clients are connected, on some only clients and printers.

 

#sh run interface GigabitEthernet1/0/1

interface GigabitEthernet1/0/1
description "IP-Phone Desktop"
storm-control broadcast level 10
storm-control multicast level 10
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode trunk
switchport trunk allowed vlan 1
macro description ip_phone_desktop
macro auto smartport type ip_phone_desktop

 

#sh port security gig 1/0/1

Port status Learning Action Maximum Trap Frequency
--------- ---------- --------------- ---------- --------- -------- ----------
gi1/0/1 Enabled Max-Addresses Discard 10 Enabled 60

 

After a few days clients cannot connect to the network any more, because the count of learned mac addresses on these ports reaches the maximum of 10. But there was no change in the devices connected to the ports.

 

#sh ports security addresses gig 1/0/1

Port status Learning Current Maximum
------- -------- --------------- ---------- ----------
gi1/0/1 Enabled Max-Addresses 10 10

 

Problem occurs on all kinds of port assignment (one phone with one client, phone only, client only).

Workaround at the moment is to disable and reenable port security facing this problem to clear the mac address count.

 

Help would be appreciated to keep port security active for the clients. Otherwise we have to disable port security completely what we want to avoid due to security reasons.

 

Thank you and Best Regards,

Chris

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

what you see MAC address table ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello!

 

Forget to say, in the mac address table we can see only the 1 or 2 devices connected to the port. No other MACs are listed.

 

#show mac address-table interface gig1/0/1
Flags: I - Internal usage VLAN
Aging time is 300 sec

Vlan Mac Address Port Type
------------ --------------------- ---------- ----------
1 00:0f:bb:18:9c:fd gi1/0/1 dynamic

 

I think the problem is, that only the counter of the current learned addresses for port security rises although there are no new addresses connected to the port.

 

BR,

Chris

thank you for the information, and you mentioned even though 1 MAC address, this port stop working isnt it ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello!

 

The problem are not the actual entries in the mac address table but the count of learned mac address in port security.

 

#sh ports security addresses gig 1/0/1

Port status Learning Current Maximum
------- -------- --------------- ---------- ----------
gi1/0/1 Enabled Max-Addresses 10 10

 

As you can see current addresses are 10, max addresses also 10. So when the client is powered up, its NIC sends its MAC address to the switch but the switch won't learn the MAC address as the max count for port security is reached. Regardless if the same MAC address had connection previously.

When port security is disabled and reenabled the current count is reset to 0 an the same client gets connection immediately.

 

So our problem is, that the address count of port security rises over time, even if only the same device with the same MAC address is connected to the port.

 

Thank you and BR,

Chris  

Hello!

 

Are there any new suggestions regarding the problem with the count of the max. addresses?

 

Thank you and BR,

Christian

Hello Christian,

 

Reading through your problem and current switch configuration, this would not have to happen i.e. dynamically learned MAC addresses from the end clients connected to the port should stay in the mac-address-table as learned, therefore, should not be discarded as an unlearned source addresses. 

 

As a suggestion, you may need to try the following. If possible try to reconfigure the port security in the following order.

1. Disable pot security learning mode on affected interfaces. (no port security)

2. Enable port security mode command first before the port security command. (port security mode max addresses and port security mode max 10)

3. Enable the port security learning mode (port security)

 

This is the order you always have to follow in order to enable port security/port security modes on your switch interfaces.

 

If the problem still persists you may need to contact our Cisco TAC support for further troubleshooting and investigation. Contact details are as follows:

 

https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html 

 

Thanks,

Martin