cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1170
Views
0
Helpful
2
Replies

2960x stack Cisco phone's mac address disappearing from interface with port-security turned on

Jason Weids
Level 1
Level 1

Hello,

 

Wondering if any one else has come across this issue, we have a number of 2960x switches with some being stand alone and some in a stack with the following interface configuration:

 

switchport access vlan 101
switchport mode access
switchport voice vlan 108
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 200
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast edge
ip verify source port-security

 

The issue we are seeing is when the interfaces first come up phones will register on them fine then after a random amount of time depending on what switch you are on the cisco phone mac address will disappear from the interface and the phone will go in to a registering state where it will stay until the port is shut/no shut or port security is removed.  If port security is removed from the interface then the phones seem happy and the mac address no loners randomly gets removed.

 

This seems to only happen if the 2960x are in a stack and the stand alone ones are not affected.  All our switches are on either ios 15.2(7)E1 or 15.2(7)E2  and this behavior is happening on both

 

We have some 3650's with the same config and they also don't seem to be effected but they are running ios-xe

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Jason Weids ,

looking at CCO bug search tool I have found seven different software bugs related to port security on stacks

more specifically

the following

CSCvg85032 that is a duplicate of

CSCve53124

Stack of 2960x blocks ARP req after port flap when Port security enabled with DHCP Snooping

 

so an IOS upgrade can be the solution for your issues.

 

Hope to help

Giuseppe

 

 

 

Hi @Giuseppe Larosa 

 

Thanks for your response,  I think you are in the right area although those bugs do say we need to have DHCP snooping enabled which we don't at the moment but are in the process of rolling out.  It's looking more and more likely to be a bug in this version of code though

Review Cisco Networking for a $25 gift card