puzzling problem

jackleung · ‎08-14-2006

Hey all,

I have a peculiar issue with port security. Basically what's happening is this. I have User A and User B who can not communicate with each other (icmp, ip, everything) but have no problems with anyone else. We're all on the same vlan and on the same switch. Port security is enabled with the same settings on all machines. If I were to disable port-security on one of the users, then both users can ping/connect each other. What's wierd is I don't have to disable on both. No one else seems ot have this issue. However this has happened once more after and the only similarity between them all is that they were all from Dell Optiplex 620s.

jackyoung · ‎08-14-2006

Please provide the config.

DId you try to move the PC to other ports and test ? If move to other port but still the same, it looks like the porblem of the PC not the switch. Any firewall installed at the PC block those packet ?

Hope this helps.

jackleung · ‎08-15-2006

I haven't tried moving them to other ports and no firewalls are installed on the PCs. However if I toggle port-security on one of the PCs you can definitely see the difference (turned on it can not be pinged by this one machine nor vice versa).

Here's a sample config of what I use:

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

!

hostname switchA

!

enable secret 5 blah

enable password 7 blah

!

username blah password blah

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ none

aaa accounting auth-proxy default start-stop group tacacs+

!

aaa session-id common

clock timezone UTC -5

clock summer-time UTC recurring

ip subnet-zero

!

ip dhcp snooping vlan 1

ip dhcp snooping

!

cluster commander-address mem

!

no file verify auto

spanning-tree mode pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/1

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactiv

spanning-tree portfast

ip dhcp snooping limit rate 100

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

ip dhcp snooping trust

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

!

interface Vlan1

ip address 10.10.10.1 255.255.252.0

no ip route-cache

!

ip classless

ip http server

ip http access-class 1

ip http secure-server

!

snmp-server community

tacacs-server host 10.10.10.6

tacacs-server directed-request

tacacs-server key 7 blah

radius-server host 10.10.10.6 auth-port 1645 acct-port 1646 key 7 blah

radius-server source-ports 1645-1646

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

alias exec macsh sh mac-address | include

alias exec arpsh sh arp | include

!

line con 0

line vty 0 4

access-class 1 in

password 7 blah

line vty 5 15

password 7 blah

!

ntp clock-period 36029099

ntp server 10.10.10.9

end

jackyoung · ‎08-15-2006

For below commands :

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactiv

Did you try to remove it one-by-one and test what command casue the problem ? And, can confirm the aging time is 1 mins ? I suggest to try to remove "violation" first and test then remove aging and test again.

And, is this port connected w/ more than 2 PC at the same time, you configure maximum 2 and it limited 2 MAC address only.