Matt,

Thank you for your response, but I not sure you understood my question, although you may have indirectly answered it, "If there is congestion on the link then it will be buffered/dropped as there is no more available bandwidth for that queue."

Suppose I set a FastEthernet interface to srr-queue bandwidth limit 10, then suppose there's a transient burst of 20 Mbps, will the 3560 egress buffer the burst (assuming there's available buffering) and "meter" the traffic at 10 Mbps (plus or minus the hardware capability) or will it immediately drop all burst packets/frames even if there are available egress buffers?

Hello Joseph,

I am sorry if my reply was not clear.  By using the bandwidth command it will buffer the 20mb burst as long as the link is not congested and the buffer is available.  It will not meter the bandwidth strictly at 10mbps. 

-Matt

Try this link:

ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENVMON-MIB.my

-Matt

MAhesh,

I'm assuming that you are referring to DAI (Dynamic ARP inspection), which does the following:

- Intercept all ARP requests and responses on untrusted ports

- Verify that each ARP packet has valid IP-to-MAC binding before updating local cache and before forwarding the packet to its destination

- Drops invalid ARP packets

Please note that DAI relies on the DHCP snooping database to verifty that the ARPs are valid. Like DHCP snooping, this only happens on untrusted interfaces. When designing where your trusted and untrusted interfaces reside for DAI, use the same logic as for DHCP snooping. Usually if you trust for DHCP snooping, you will trust for ARP inspection as well.

In your case, if you are having issues with DHCP snooping database on certain switch, it could pose a potential issue when DAI is enabled on that particular switch.

regards

Jane

Hi Pavel,

Good question. There are some complications when implementing port security on a port channel. Using LACP as an example, each physical port must have its own MAC address, and there's another MAC used for the "virtual" interface which is used for LACPDUs. This may either be another unique MAC or may be the MAC of one of the member ports. However this is not constrained by the standard and depending on vendor implementation.

Take for example the case of a 2 link PortChannel between two devices:

SWA ========= SWB

In this case, Switch A Ethernet1/1 connects to SwitchB Ethernet1/1 and SwitchA Ethernet2/1 connects to SwithB Ethernet2/1.

In order to successfully deploy Port Security between the two devices, one would need to enable Port Security with either 2 or 3 MAC addresses depending on whether the neighbor device uses a unique address or not.

Different vendors are free to use a unique MAC or not for the control channel.

Should an operator concerned with security allow 2 MAC addresses or 3 in this case?

The answer varies depending on the equipment vendor on the other side . . .

The bigger problem is what if one of the Ethernet links isn't yet in an operational state and the neighboring device is misconfigured (intentionally or otherwise).  e.g. lets say that SwitchB was connected to SwitchC.  Lets say that SwitchC is connected to SwitchB Ethernet1/2 and that link comes up before SwitchB Ethernet2/1:

SWA ========== SWB --------- SWC

If the link to SwitchC is in the same VLAN as the link from SwitchA to SwitchB (i.e. SwitchB is operating both links at L2), AND the link to SwitchC became operationally active prior to SwitchB Ethernet2/1, then Port Security has just allowed L2 to extend beyond where it was intended.

In this case, Port Security is no longer offering the security it was intended to provide. SwitchB can no longer bring up one of its Port Channel members since Port Security will now block that MAC address from sending traffic.

Port security on port channels is already supported on N7K (4.2 release and onwards). It is also under discussion for some other platforms (e.g. 6500).

regards

Jane

Thanks for reply!

But i think if we use channel-group x mode on - there is no problems.

Little adition in question

1st: Your example is not clear to me:

"The bigger problem is what if one of the Ethernet links isn't yet in an operational state and the neighboring device is misconfigured (intentionally or

otherwise)." - What device is misconfigured? A,B,C? Can you explain this example more detailed and post runnning config on the A,B,C devices?

2nd: "Using LACP as an example, each physical port must have its own MAC address, and there's another MAC used for the "virtual" interface which is used for LACPDUs. This may either be another unique MAC or may be the MAC of one of the member ports. However this is not constrained by the standard and depending on vendor implementation." - How this is implemented in Cisco?

3rd: What about servers? I mean SW====SRV. Is there any problems with port-security when we connect server and switch? Can we use mode on (not LACP or PAGP) in this case?

Pavel,

1.

I do believe that with "mode on" only, the implementation will be a lot easier for port security over L2 etherchannel. However with the current releases it will either disallow you from configuring it, or simply ignore the configuration when the port security is enabled on the etherchannel interface, on the platforms that do not support it.

Here's one example for such misconfig I have seen that caused problem on etherchannel: a switch is connected to a UCS with two Fabrics, and the ports in the portchannel need to be on the same Fabric which was not the case. Therefore only one of the links comes up and stays up, the other link flapped.

The diagram is a general example, but the idea is that any error condition that could cause one of the links between SWA and SWB to come up later than the link between SWB and SWC would be an issue here for port security. Hope this clarifies.

2.

Cisco always uses a unique MAC address for this control channel so as to ensure that the address does not change regardless of whatever member ports are added/removed from the bundle.

3.

I believe that it would not work with the current implementations if port security is not supported on the etherchannel, for the reasons mentioned in 1 above.

regards

Jane

1. About 1st - very tricky example! If we have only one interface in portchannel witch is up we se next output:

SwitchB#sh etherchannel summary

Group  Port-channel  Protocol    Ports

------+-------------+-----------+-----------------------------------------------

1      Po1(SU)          -        Gi1/0/1(P)

So where is the problem with port-security? gi1/0/1 logically terminates on Po1, and on Po1 configured with port-security. So where is the problem when we have only one interface that logically terminates on Po1.

I do not understand. Can you explain step by step behavior of the problem?

2. And what about rate-limit commands support on Catalyst family switches?

Pavel,

The samples mentioned above wouldn't apply to this scenario, i.e. either mode on or portchannel with a single interface. They are to provide one of the explanations for why port security is not supported on L2 etherchannel as with an individual interface.

It's not apparent to be an issue with specific scenarios as you mentioned, but in order to support port security over L2 etherchannel, we'll have to cover all the cases properly.

Can you please explain a bit more on your rate-limit question?

regards

Jane