04-09-2009 12:54 AM - edited 03-04-2019 04:18 AM
Hi all,
Since several weeks, we have encounter a downtime/instability in our LAN.
The root cause of the problem was : 1 Ethernet patch cord connected in loop on a noname microswitch
This microswitch was connected to a Cisco 2950G access switch running
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
Disconnection of the microswitch and the loop solve our problem.
For internal and facilities reasons our customer ask us to continue to use these microswitches (typically in some meeting rooms).
So, I've performed a test (with such loop) with activation of the "debug ethernet-controller addresses" command on the switch,
it's seems this problem is caused by mac-addresses moving from the backbone uplink ports to the FE port connected to the microswitch.
See here an extract :
30w5d: 0000.0c07.ac0f has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: %VQPCLIENT-2-DENY: Host 0000.0c07.ac0f denied on interface Fa0/17
30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: Add address 00d0.0265.e7fc, on port Fa0/17 vlan 350
30w5d: 00d0.0265.e7fc has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: Add address 0011.0a9d.0ec9, on port Fa0/17 vlan 350
30w5d: 0011.0a9d.0ec9 has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: %VQPCLIENT-2-DENY: Host 00d0.0265.e7fc denied on interface Fa0/17
30w5d: %VQPCLIENT-2-DENY: Host 0011.0a9d.0ec9 denied on interface Fa0/17
30w5d: Add address 0017.a41d.640b, on port Gi0/1 vlan 350
30w5d: 0017.a41d.640b has moved from port Fa0/17 to port Gi0/1 in vlan 350
30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: 0017.a41d.640b has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: Delete address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: Add address 0017.a41d.640b, on port Fa0/17 vlan 350
30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350
30w5d: 0007.e90d.4a29 has moved from port Gi0/1 to port Fa0/17 in vlan 350
30w5d: Delete address 0007.e90d.4a29, on port Fa0/17 vlan 350
30w5d: Add address 0007.e90d.4a29, on port Fa0/17 vlan 350
So I've checked if it's possible to activate a security on the switchports in order to shutdown in case of trouble with this microswitch.
I've tried to limit the amount of mac per port like this :
CW17-C00(config-if)#switchport port-security aging time 120
FastEthernet0/17 is dynamic port. port-security parameters cannot be set.
But as you see, this command is not accepted by the Cisco switch because we are running vmps (and so the access port is in "dynamic" mode)
Can you say me if :
1/ This problem is solved by some new IOS versions ?
2/ If not, is it possible to use this port-security feature with LAN ports configured in 802.1x NAC ?
04-09-2009 09:22 AM
The problem could be that the switchport your dealing with is defaulted to 'dynamic desirable'. I would try issuing a 'switchport mode access' in interface configuration mode to statically set it to access mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide