10-15-2014 10:57 AM - last edited on 03-25-2019 04:30 PM by ciscomoderator
Hi all,
We have 8 stacks of 2960Xs, which we installed earlier this year. For the past few months, we have been running into many issues with port security. It started with ports with IP phones. We originally used a port security max of 2 (one for phone and one for PC), but then found out that sometimes the phones use 2 MACs (one for data and one for voice), so we bumped them up to max of 3.
Now we are running into issues where the switches are logging violations and even going err-disabled on ports with only a PC. The switches, on some ports, show a max of 2 with 1 in use, and still log violations (only one device connects to the port and no virts). I have had to bump ports up as high as max 5 for it to stop logging violations for 1 PC with no virts on it. We also have a port that is a max of 5 and showing 2 in use, but still logs violations. I have also seen ports with nothing connected logging port-security violations.
It is not all of the stacks, but definitely our 5 heaviest used stacks.
Has anyone run into this? Is this a software bug? Any advice?
Thanks,
James
10-15-2014 12:12 PM
have you run "#debug port-security" on any of switches?
If did, what's the output?
11-20-2014 06:48 AM
Sorry for the delayed response, but I wanted to wait until our next round of deployments.
This morning, I had a port with phone+desktop. Port security was set to 3 max, was showing 2 addresses for the port, but logging security violations and keeping the phone from registering.
Disconnected devices and started debug port-sec, but didn't get any output after connecting everything. However, this is the output from sh logging for that port this morning:
RVAPsw22#sh logg | i 3/0/10 Nov 20 09:23:33.372 EST: PSECURE: Install IP Phone 6cfa.8903.fc2c on interface GigabitEthernet3/0/10 on vlan 1022 Nov 20 09:23:33.372 EST: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 6cfa.8903.fc2c, swidb = Gi3/0/10, vlan = 1022, linktype = NullPak Nov 20 09:23:33.375 EST: PSECURE: swidb = GigabitEthernet3/0/10 mac_addr = 6cfa.8903.fc2c vlanid = 1022 Nov 20 09:23:33.375 EST: PSECURE: Adding 6cfa.8903.fc2c as dynamic on port Gi3/0/10 for vlan 1022 Nov 20 09:23:33.374 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3) Nov 20 09:23:39.484 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3) Nov 20 09:23:51.486 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3) Nov 20 09:24:07.498 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3) Nov 20 09:24:28.308 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3) Nov 20 09:24:33.734 EST: PSECURE: Install IP Phone 6cfa.8903.fc2c on interface GigabitEthernet3/0/10 on vlan 1022 Nov 20 09:24:33.734 EST: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 6cfa.8903.fc2c, swidb = Gi3/0/10, vlan = 1022, linktype = NullPak Nov 20 09:24:33.738 EST: PSECURE: swidb = GigabitEthernet3/0/10 mac_addr = 6cfa.8903.fc2c vlanid = 1022 Nov 20 09:24:33.738 EST: PSECURE: Adding 6cfa.8903.fc2c as dynamic on port Gi3/0/10 for vlan 1022 Nov 20 09:24:33.555 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Below is the output from 'sh auth sess' while the port was logging violations:
RVAPsw22#sh auth sess int gi3/0/10 Interface: GigabitEthernet3/0/10 MAC Address: 0019.bb46.70cc IP Address: x.x.x.14 User-Name: xxxxx Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A5F01160001E1CF9EC04C60 Acct Session ID: 0x000295A0 Handle: 0x210008AF Runnable methods list: Method State dot1x Authc Success mab Not run ---------------------------------------- Interface: GigabitEthernet3/0/10 MAC Address: 6cfa.8903.fc2c IP Address: Unknown User-Name: 6C-FA-89-03-FC-2C Status: Authz Success Domain: VOICE Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797 Session timeout: N/A Idle timeout: N/A Common Session ID: 0A5F01160001E1D09EC0562A Acct Session ID: 0x000295A1 Handle: 0xF200084B Runnable methods list: Method State dot1x Failed over mab Authc Success
Below is the configuration for that port:
interface GigabitEthernet3/0/10 switchport access vlan 22 switchport mode access switchport voice vlan 1022 switchport port-security maximum 3 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity ip access-group ACL-ALLOW-ALL in srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event fail action next-method authentication event server dead action authorize vlan 22 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab no snmp trap link-status mls qos trust device cisco-phone mls qos trust cos macro description cisco-phone dot1x pae authenticator dot1x timeout tx-period 10 auto qos voip cisco-phone spanning-tree portfast spanning-tree bpduguard enable service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY end
I bumped port security max on that port up to 4 and was able to get the phone to register, but this is not the desired configuration. If anyone is able to look at the config and make any suggestion, I would much appreciate it!
Thanks,
James
04-01-2016 01:44 AM
Hello James,
I wonder if you found a way to solve this issue?
I recently encoutered the same problem here on a 2960x-Switch. our port-configuration is not so much as yours but in regards of the port-security it seems the same:
SWITCH#sh run int Gi2/0/2
Building configuration...
Current configuration : 342 bytes
!
interface GigabitEthernet2/0/2
description Userport.....
switchport access vlan 61
switchport mode access
switchport port-security maximum 6
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
ip dhcp snooping limit rate 10
end
I also wonder if this behaviour is related to the bug CSCuv29825?
Have a nice day!
phil
Edit: Also may this behaviour related to the fact that diffrent switches were used in that stack (WS-C2960X-48FPD-L stacke with WS-C2960X-24PD-L)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide