4510 / Port Security / DHCP

brian.kennedy · ‎02-24-2014

Any thoughts on this? Having a strange problem. On some of our newer 4510s (SUP 8e), I'm having some devices not getting dhcp addresses until I take off port-security.

The background: on at least two 4510s, new installs, everything comes up and works perfectly. After about a month on the first one, we started having a few printers suddenly stop working with no ip address. After some trouble-shooting, we took off port-security and immediately they got an address and started working. We installed another 4510; 3 weeks later the same thing started happening. However this time we noticed that the night before we did some generator testing, and the affected printers may have briefly lost power. So this gave me a little more to test on, and am now able to replicate it.

1st, all affected devices have been printers (mainly HP - although a co-worker thought an IP phone was affected on the first switch) - but not all printers on the switch have been affected. I plug a new printer in, everything comes up fine. If I power that printer off and back on, it fails to get a dhcp address. I can plug a laptop into the same port and it comes up fine. Back to the printer - take off port security, it will immediately pick up an address. I can put port-security back on, and it's fine until powered off again.

DHCP Snooping is not on.

Port-config:

interface GigabitEthernet10/18

description **IP PHONE OR PC**

switchport access vlan 24

switchport mode access

switchport voice vlan 14

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no mdix auto

qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy

service-policy output DBL

end

Network capture when it's failing only shows dhcp request, no answer.

failed:

No. Time Source Destination Protocol Length Info

157 50.802870000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f80993

Frame 157: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

182 54.820824000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f80993

Frame 182: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

(repeated)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Working:

No. Time Source Destination Protocol Length Info

138 35.496720000 0.0.0.0 255.255.255.255 DHCP 347 DHCP Discover - Transaction ID 0xc2f8a7b8

Frame 138: 347 bytes on wire (2776 bits), 347 bytes captured (2776 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

185 40.527732000 0.0.0.0 255.255.255.255 DHCP 379 DHCP Request - Transaction ID 0xc2f8a7b8

Frame 185: 379 bytes on wire (3032 bits), 379 bytes captured (3032 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)

Bootstrap Protocol

No. Time Source Destination Protocol Length Info

187 40.584626000 Hewlett-_86:fe:9f Broadcast ARP 60 Who has 10.201.238.252? Tell 0.0.0.0

Frame 187: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Length Info

200 42.177704000 Hewlett-_86:fe:9f Broadcast ARP 60 Gratuitous ARP for 10.201.238.252 (Request)

Frame 200: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request/gratuitous ARP)

No. Time Source Destination Protocol Length Info

203 42.415502000 10.201.238.252 224.0.1.60 IGMPv1 60 Membership Report

Frame 203: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: Hewlett-_86:fe:9f (00:17:08:86:fe:9f), Dst: IPv4mcast_00:01:3c (01:00:5e:00:01:3c)

Internet Protocol Version 4, Src: 10.201.238.252 (10.201.238.252), Dst: 224.0.1.60 (224.0.1.60)

Internet Group Management Protocol

dominic.caron · ‎02-24-2014

Is the port in err-disable state?

brian.kennedy · ‎02-24-2014

No, never goes err-disable or shows any errors/logging.

mlinval · ‎01-29-2015

I am experiencing the exact same type of issues.

Did you ever resolve this?

NicolasDemonty · ‎01-29-2015

Hi,

should be fixed in version 3.6.0, 3.6.1 and 3.7.0E.

We updated our switches in 3.7.0E and it is working fine now.

Kr

Nicolas

brian.kennedy · ‎01-30-2015

Not really, we will be upgrading IOS to 3.6 soon, hoping that will resolve the issue. We've just removed port-security where it's an issue as of now. If it happens after upgrade, I'll go back to tac.

mkdickinson · ‎02-28-2014

We have seen this same issue but with some Motion Tablets, running Windows 7, and some Linux PC's. We have just gotten reports of Ricoh Printers as well.

We have oppened a tac case on this as well.

brian.kennedy · ‎02-28-2014

So far no where with TAC.. last was port-security debugs that they are looking into.

Traffic capture on the device port shows the dhcp broadcast. Traffic capture on the uplink port shows no traffic going through from that device. So the switch sees it on the access port, doesn't record the mac, and then drops the traffic. If you take port-security off, or statically assign the mac to the port, then all is good.

amir_slash · ‎03-01-2014

Hi

First try to remove these two commands:

#switchport port-security aging time 2

#switchport port-security aging type inactivity

Maybe it works

Regards

Amir

brian.kennedy · ‎03-03-2014

No, I've tried that as well, peeling back the different layers of port-security critierias. Only will work when 'switchport port-security' is removed.

reece · ‎04-08-2014

Same problem here ... just started deploying a dozen or so of these 4510RE SUP-8E switches and port-security is causing some printers and timecard devices to fail. From what I can see, port-security is NOT tripping but simpley the MAC address never gets loaded to the port on certain types of devices. I would try a different code, but their is only one available at this time.

brian.kennedy · ‎04-08-2014

Yes, same thing - with port-security on, the mac address is not getting loaded into mac table. Can see the dhcp request come into the switch, and then it's just dropped, never goes out, mac address is not registered.

Seeing this on about 1/2 4510s now, various printers/devices. TAC still has no solution on this. He said another engineer was seeing something similar on a case.

The one thing I have done that has seemed to clear it up, at least temporarily, is I rolled to the redundant sup and back. Since I did that on one chassis, everything appears to be working correctly. However, that was about 2 weeks ago, and generally it's taken a few weeks for this problem to pop up after an install - whether timing on that is coincidence or not, not sure. The other problem, is all of these new chassis are running RPR redundancy (LAN base) - so i'm not able to just roll them w/out taking a hit (most of them are in 24x7 operations areas).

Another issue, and not sure if it's related or not. I have 4 pc's going to 2 different chassis. Each pc is set with a static IP, but is set to autologin into the domain. Every other time the pc is rebooted, it logs in fine. The reboots in-between, the pc will not log in, and in fact registers an APIPA 169.x.x.x address in the arp table - which is pretty odd since they are set with a static IP. I can duplicate this by shut/no shut the port and every other time it will (or won't) get on the network.

I would recommend opening a tac case if you haven't - seems like a few more people are seeing this happen. (my tac ref: 629278423)

NicolasDemonty · ‎11-14-2014

Hi guys !

Same issue now. A printer was working fine for several weeks and suddenly the mac address is no more learned.

Any update ?

kr

brian.kennedy · ‎11-14-2014

Not really; we've had multiple issues with port-security; printers (and at times pc's) not picking up dhcp addresses; ip phones not getting dhcp options correctly. TAC has said they may be related to a couple of different issues. Suggested upgrading to 3.3.1; said could be related to this bug: : https://tools.cisco.com/bugsearch/bug/CSCuj73571/?reffering_site=dumpcr

Can also try adding a delay to global ip device tracking probe (if it is on) - see following bugs.

https://tools.cisco.com/bugsearch/bug/CSCuj04986/?reffering_site=dumpcr

https://tools.cisco.com/bugsearch/bug/CSCtn27420/?reffering_site=dumpcr

The delay fixed issues with pc's not getting dhcp addresses, but not issues with phones. We have not upgraded to 3.3.1 yet.

NicolasDemonty · ‎11-14-2014

Hi,

thanks for your answer. We have already the last version of IOS. It seems that the issue is solved when we remove the port-security but if we re-enable it then it is still working ... I don't know how long it will work ...

we kind of test did you already do ?

kr