port security + access vlan dynamic

hjacquemin · ‎04-09-2009

Hi all,

Since several weeks, we have encounter a downtime/instability in our LAN.

The root cause of the problem was : 1 Ethernet patch cord connected in loop on a noname microswitch

This microswitch was connected to a Cisco 2950G access switch running

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)

Disconnection of the microswitch and the loop solve our problem.

For internal and facilities reasons our customer ask us to continue to use these microswitches (typically in some meeting rooms).

So, I've performed a test (with such loop) with activation of the "debug ethernet-controller addresses" command on the switch,

it's seems this problem is caused by mac-addresses moving from the backbone uplink ports to the FE port connected to the microswitch.

See here an extract :

30w5d: 0000.0c07.ac0f has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: %VQPCLIENT-2-DENY: Host 0000.0c07.ac0f denied on interface Fa0/17

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 00d0.0265.e7fc, on port Fa0/17 vlan 350

30w5d: 00d0.0265.e7fc has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Add address 0011.0a9d.0ec9, on port Fa0/17 vlan 350

30w5d: 0011.0a9d.0ec9 has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: %VQPCLIENT-2-DENY: Host 00d0.0265.e7fc denied on interface Fa0/17

30w5d: %VQPCLIENT-2-DENY: Host 0011.0a9d.0ec9 denied on interface Fa0/17

30w5d: Add address 0017.a41d.640b, on port Gi0/1 vlan 350

30w5d: 0017.a41d.640b has moved from port Fa0/17 to port Gi0/1 in vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350

30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350

30w5d: 0007.e90d.4a29 has moved from port Gi0/1 to port Fa0/17 in vlan 350

30w5d: Delete address 0007.e90d.4a29, on port Fa0/17 vlan 350

30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350

So I've checked if it's possible to activate a security on the switchports in order to shutdown in case of trouble with this microswitch.

I've tried to limit the amount of mac per port like this :

CW17-C00(config-if)#switchport port-security aging time 120

FastEthernet0/17 is dynamic port. port-security parameters cannot be set.

But as you see, this command is not accepted by the Cisco switch because we are running vmps (and so the access port is in "dynamic" mode)

Can you say me if :

1/ This problem is solved by some new IOS versions ?

2/ If not, is it possible to use this port-security feature with LAN ports configured in 802.1x NAC ?

mlitka · ‎04-09-2009

The problem could be that the switchport your dealing with is defaulted to 'dynamic desirable'. I would try issuing a 'switchport mode access' in interface configuration mode to statically set it to access mode.