cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
0
Helpful
13
Replies
Highlighted
Beginner

Bug port-security Catalyst 2960S after upgrade to release 15.0(2)SE8

Hello,

I have few stacks of 2960S, generally built as following, and running the following version.

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 52    WS-C2960S-48LPS-L  15.0(1)SE2            C2960S-UNIVERSALK9-M
     2 52    WS-C2960S-48LPS-L  15.0(1)SE2            C2960S-UNIVERSALK9-M
     3 28    WS-C2960S-24PS-L   15.0(1)SE2           C2960S-UNIVERSALK9-M

In the previous release, 15.0(1)SE2 version, the port where my printers where connected was the following:

In this version everything works fine (I mean the port security). After the upgrade to the 15.0(2)SE8 release, the port-security blocks all the traffic on the port.

It seems to be a bug but I can't find anything related to that behaviour in the release note or the bug tool.

Any idea about this issue?

interface GigabitEthernet1/0/2
 description Printer
 switchport mode access
 switchport nonegotiate
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0004.0097.411d

 switchport port-security authentication event no-response action authorize vlan 129
 authentication port-control auto
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 2
 storm-control broadcast level 20.00
 storm-control action shutdown
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip igmp filter 1

 

 

13 REPLIES 13
Highlighted
Hall of Fame Cisco Employee

Hello,

Is that the complete configuration of the Gi1/0/2 port? It is missing the switchport port-security command to actually activate the port security. In addition, you are saying that the port security appears to block all traffic. However, I see no switchport port-security violation command, either, in which case the default security violation action is to shutdown the port entirely instead of filtering the traffic. That also does not align with your description of the symptoms.

Best regards,
Peter

Highlighted

Hello Peter,

 

Yes, sorry, you're right, i've mistaken when copying the configuration of the port.

The command switchport port-security is well present in the previous release but I was obliged to remove it otherwise the port doesn't transmit traffic. In fact tje port is up but the mac address is not present.

Here below an output of the "show switchport port-security" of the faulty port when the switchport port-security is activated:

In this mode, the port is well up, but the mac address is no more present and my printer is no more accessible. This behaviour didn't occur in the previous release.

Thanks by advance for your responses

 

Stack1_C67_3_12.39#sh port-security int gi 1/0/2
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0004.0097.411d:129
Security Violation Count   : 0

 

 

 

 

 

Highlighted
Hall of Fame Cisco Employee

Hello,

I apologize for my late response.

Please allow me one more question: In this newest IOS, when you activate the port security on the Gi1/0/2 interface, does it become err-disabled as a result of security violation, or does it stay up even though the printer has no network connectivity?

If the port goes down then we need to focus on the port security behavior. If the port stays up but the printer has not connectivity, it seems to be more related to the 802.1X authentication.

Best regards,
Peter

Highlighted

Hello Peter,

 

No problem. In fact the port state is up. But if the command "switchport port-security" is set on the port, the mac address disappears immediately. As soon as the command is removed, the mac address is restored and the connectivity is back.
Here below the output of few command on the switch:

The port status is as following

Gi1/0/2   Printer            connected    129        a-full  a-100 10/100/1000BaseTX

The mac-address on the port

Stack1_C67_3_12.39#sh mac address-table int gi 1/0/2

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

The mac as soon as I remove the command port-security

Stack1_C67_3_12.39#sh mac address-table int gi 1/0/2

          Mac Address Table

-------------------------------------------

 

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

129    0004.0097.411d    DYNAMIC     Gi1/0/2

Total Mac Addresses for this criterion: 1

 

Best regards

Gildas

Highlighted
Hall of Fame Cisco Employee

Gildas,

Okay, this is becoming more and more strange.

May I ask you to post the output of show run int gi1/0/2 one more time and being very careful not to lose any lines during the copy&paste?

Best regards,
Peter

 

Highlighted

Totally agree with Peter, this is quite strange issue.

So what happens if you connect the printer to any other port?

It looks like kind of buggy behaviour but not quite sure as didnt do complete diagnosis of this issue.

Highlighted

Hello,

I don't think that the issue can be linked to the printer or the port because I 've four ports configured on the same way and with the same behaviour.

I need to disable the "portsecurity" on all the port in order to retrieve the mac @

 

Kind regards

Gildas

Highlighted

Hello,

After few weeks of investigation with Cisco TAC, I'm well facing a bug.

Here below the response from Cisco TAC concerning this issue:

Just to let you know, I have talked to dev team and combination of port-security sticky + dot1x is not supported.
I have opened a documentation bug to officially states this:
CSCuw37347    Doc should state that port-security sticky is not supported with dot1x.

Thanks everybody for your support and suggestions

Regards

Gildas

 

 

 

Highlighted
Hall of Fame Cisco Employee

Hello Gildas,

Thanks for updating us with this information!

However, I strongly dislike the resolution suggested by TAC - to change the documentation so that it explicitly states that the combination of Port Security Sticky Secure Address and 802.1X authentication is not supported.

In your own words, this combination worked nicely for you in older IOS but does not work anymore in the new IOS. So this is not a documentation error, rather, this is an IOS regression. I would not personally let the TAC get away from this case so easily. They should fix the IOS so that the combination works again, rather than leave it broken and have the documentation updated to cover their inability or unwillingness to solve the real issue.

Best regards,
Peter

Highlighted

Hello Peter,

 

Hereby the output of the requested command:


interface GigabitEthernet1/0/2
 description Printer
 switchport mode access
 switchport nonegotiate
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0004.0097.411d
 switchport port-security
 authentication event no-response action authorize vlan 129
 authentication port-control auto
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 2
 storm-control broadcast level 20.00
 storm-control action shutdown
 no cdp enable
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip igmp filter 1
end

 

 

Highlighted
Hall of Fame Cisco Employee

Hi Gildas,

I see nothing wrong with your configuration. Your observation that the MAC address does not appear in the MAC address table when the port security is activated is truly strange - it should have been present as a static MAC address in the table.

Let's do one experiment: Instead of declaring that MAC address as sticky, configure it as a static secure address right away. Please paste the following commands to your configuration:

interface Gi1/0/2
 no switchport port-security
 no switchport port-security mac-address sticky 0004.0097.411d
 no switchport port-security mac-address sticky
 switchport port-security mac-address 0004.0097.411d
 switchport port-security
end

This will stop the sticky address learning, remove the sticky secure MAC address, replace it with a static secure MAC address, and reactivate the port security. Would this help? Please also check the MAC address table after this change.

Best regards,
Peter

Highlighted

Hello Peter,

 

Big thanks for your interest in my issue and your proposal.

I found a workaround which is a mix of your proposal.

I applied your commands but it hasn't fix the issue, the mac @ was still missing. After that I removed the command "switchport port-security mac-address 0004.0097.411d" and applied again the command "switchport port-security mac-address sticky".

The sticky function learned again the mac and the mac is well present on the port. The printer works again with the initial configuartion. But it sounds like a bug in the ios and this way remains a workaround.

I can't find a such issue related in the release notes or in the cisco bug tool. I think I'm going to open a case to my cisco support and I'll keep you in touch if a solution is given.

 

Thanks for the support

Best regards

Gildas

 

 

Highlighted
Hall of Fame Cisco Employee

Hi Gildas,

You are welcome. This indeed looks like a bug. Please open a TAC case if that is possible. You can create a TAC case directly from this thread - at the top right of the page, there should be a link for it - or at least let the TAC engineer know about this thread, as it already contains a wealth of information about your issue.

Please keep me informed.

Best regards,
Peter

Content for Community-Ad