Port Security

alexuilea99 · ‎04-07-2023

Greetings people!

I have recently bought a cisco switch CBS350-24T-4G and trying to configure port security on it. All great and stuff until I found that on 2 ports once I have configured port security corectly if I'm switching the two ports to each other, the devices don't have connection to the network which is ok, but the action on violation which I have set (Shutdown) isn't taking any action. The port is still up but without connection. After some researches I have found this line :

"When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address is not learned on that port."

My question is : Is forwarded to what? Or more, how can I make it to announce me if someone is switching or moving from a port to another? because these things are not shown in the logs.

Flavio Miranda · ‎04-07-2023

Hello,

The fact of the port doen´t show as shutdown when the violation condition happened seems to me to be some kind of software problem, probably a bug. As you mentioned that both devices dont have connection, it seems the ports was actually put in shutdown but the switch is faling to show this.

About the statement ""When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address is not learned on that port." you could share the link here where you have found it just to get the whole context but I understood that the switch forward frames toward a port in which the port-security is enable but dont populate the mac address table with the mac address.

About the logs, you have the option of traps on the port-security configuration. But is does require a SNMP server to process this traps.

• trap seconds—(Optional) Sends SNMP traps and specifies the minimum time interval in seconds between
consecutive traps. (Range: 1–1000000)

And you should be able to see it on the logs of the switch by checking the show log command. Just make sure the log level you are using on this switch.

alexuilea99 · ‎04-07-2023

The link is right from the cisco " https://www.cisco.com/assets/sol/sb/Switches_Emulators_v2_3_5_xx/help/350_550/index.html#page/tesla_350_550_olh/port_security.html"

I have a snmp server because we have a application that colleccts datas from all the switches and creates diagrams of the end users and ports available, and that's the real problem that when switching ports its happening the ports remain up but without connection to the network. When an event like this happens (swithing ports) on the diagram all its fine, the ports don't show as shutdown. Instead if I disconnect a port and introduce a new device, port security will work perfectly and shutdown the port. All port security options are set up corectly. In fact at this point we can't really say that the condition on violation is happens because in the link it says that if there is a mac already set up and its discovered on another port doesn't do anything.

Another thing to mention about this " As you mentioned that both devices dont have connection, it seems the ports was actually put in shutdown but the switch is faling to show this.". When i switch them back as they were all things work properly fine without any other actions needed.

Flavio Miranda · ‎04-07-2023

The switch dont actually shutdown the interface but put it in error-disabled . I mean, you are not going to see the command "shutdown" on the port if you run a command like "show int status" or "show run int gx."

And usually the switch have a global polity in order to determine what to do next if the port goes to error-disable.

You need the command "errdisable recovery cause" in order to the switch keep the port locked in case the violation take place, otherwise the port will return to the original status.

Take a look on this guide. https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/CLI/cbs-350-cli-/ethernet-configuration-commands.html look for "errdisable recovery cause"