Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

port security + access vlan dynamic

hjacquemin
Beginner
Beginner

‎04-09-2009 12:54 AM - edited ‎03-04-2019 04:18 AM

Hi all,

Since several weeks, we have encounter a downtime/instability in our LAN.

The root cause of the problem was : 1 Ethernet patch cord connected in loop on a noname microswitch

This microswitch was connected to a Cisco 2950G access switch running

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)

Disconnection of the microswitch and the loop solve our problem.

For internal and facilities reasons our customer ask us to continue to use these microswitches (typically in some meeting rooms).

So, I've performed a test (with such loop) with activation of the "debug ethernet-controller addresses" command on the switch,

it's seems this problem is caused by mac-addresses moving from the backbone uplink ports to the FE port connected to the microswitch.

See here an extract :

30w5d: 0000.0c07.ac0f has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: %VQPCLIENT-2-DENY: Host 0000.0c07.ac0f denied on interface Fa0/17

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 00d0.0265.e7fc, on port Fa0/17 vlan 350

30w5d: 00d0.0265.e7fc has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Add address 0011.0a9d.0ec9, on port Fa0/17 vlan 350

30w5d: 0011.0a9d.0ec9 has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: %VQPCLIENT-2-DENY: Host 00d0.0265.e7fc denied on interface Fa0/17

30w5d: %VQPCLIENT-2-DENY: Host 0011.0a9d.0ec9 denied on interface Fa0/17

30w5d: Add address 0017.a41d.640b, on port Gi0/1 vlan 350

30w5d: 0017.a41d.640b has moved from port Fa0/17 to port Gi0/1 in vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350

30w5d: 0007.e90d.4a29 has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0007.e90d.4a29, on port Fa0/17 vlan 350

30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350

So I've checked if it's possible to activate a security on the switchports in order to shutdown in case of trouble with this microswitch.

I've tried to limit the amount of mac per port like this :

CW17-C00(config-if)#switchport port-security aging time 120

FastEthernet0/17 is dynamic port. port-security parameters cannot be set.

But as you see, this command is not accepted by the Cisco switch because we are running vmps (and so the access port is in "dynamic" mode)

Can you say me if :

1/ This problem is solved by some new IOS versions ?

2/ If not, is it possible to use this port-security feature with LAN ports configured in 802.1x NAC ?

Labels:
0 Helpful
1 REPLY 1

mlitka
Explorer
Explorer

‎04-09-2009 09:22 AM

The problem could be that the switchport your dealing with is defaulted to 'dynamic desirable'. I would try issuing a 'switchport mode access' in interface configuration mode to statically set it to access mode.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents