4900 switches and port-security

Ilia.Mostyka · ‎11-03-2009

Hi,

We are facing strange situation with port-security @ 4948-10G switch (ipbase-12.2.53SG)

Port config:

!

interface GigabitEthernet1/6

switchport access vlan 388

switchport mode access

switchport port-security maximum 30

switchport port-security

switchport port-security aging time 5

switchport port-security violation restrict

switchport port-security aging type inactivity

no cdp enable

spanning-tree portfast

!

With VMware server attached to it, some macs are not secured:

sh port-security int gi 1/6

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 5 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 30

Total MAC Addresses : 2

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000c.2974.9822:388

Security Violation Count : 0

sh mac- int gi 1/6

Unicast Entries

vlan mac address type protocols port

-------+---------------+--------+---------------------+--------------------

388 000c.296d.e7c8 static ip,ipx,assigned,other GigabitEthernet1/6

388 000c.2974.9822 static ip,ipx,assigned,other GigabitEthernet1/6

388 0050.5643.3731 dynamic ip GigabitEthernet1/6

Multicast Entries

vlan mac address type ports

-------+---------------+-------+--------------------------------------------

388 ffff.ffff.ffff system Gi1/5,Gi1/6,Te1/49,Te1/50

sh port-security interface gi1/6 address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

388 000c.296d.e7c8 SecureDynamic Gi1/6 5 (I)

388 000c.2974.9822 SecureDynamic Gi1/6 5 (I)

------------------------------------------------------------------------

Total Addresses: 2

Why 0050.5643.3731 not in SecureDynamic state?

Btw, some other ports with the same config, does not have any secured macs at all:

sh port-security int gi 1/5

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 5 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 30

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000c.29e4.8848:388

Security Violation Count : 0

sh mac- int gi 1/5

Unicast Entries

vlan mac address type protocols port

-------+---------------+--------+---------------------+--------------------

388 000c.29e4.8848 dynamic ip GigabitEthernet1/5

388 0050.5648.4cb4 dynamic ip GigabitEthernet1/5

Multicast Entries

vlan mac address type ports

-------+---------------+-------+--------------------------------------------

388 ffff.ffff.ffff system Gi1/5,Gi1/6,Te1/49,Te1/50

sh port-security interface gi1/5 address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

------------------------------------------------------------------------

Total Addresses: 0

P.S.

All hosts are active and working all the time.

Tnx.

aaberdeen · ‎11-04-2009

can you please paste the sh log messages.simple type: sh log.

was this working fine and suddenly changes.did you carry out any changes recently??

Ilia.Mostyka · ‎11-04-2009

First, there was some %PORT_SECURITY-2-PSECURE_VIOLATION: events (due insufficient maximum allowed mac). We allowed more macs & enable aging.