08-03-2015 12:43 AM - edited 03-08-2019 01:13 AM
Hello,
I have few stacks of 2960S, generally built as following, and running the following version.
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C2960S-48LPS-L 15.0(1)SE2 C2960S-UNIVERSALK9-M
2 52 WS-C2960S-48LPS-L 15.0(1)SE2 C2960S-UNIVERSALK9-M
3 28 WS-C2960S-24PS-L 15.0(1)SE2 C2960S-UNIVERSALK9-M
In the previous release, 15.0(1)SE2 version, the port where my printers where connected was the following:
In this version everything works fine (I mean the port security). After the upgrade to the 15.0(2)SE8 release, the port-security blocks all the traffic on the port.
It seems to be a bug but I can't find anything related to that behaviour in the release note or the bug tool.
Any idea about this issue?
interface GigabitEthernet1/0/2
description Printer
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.0097.411d
switchport port-security authentication event no-response action authorize vlan 129
authentication port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
storm-control broadcast level 20.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip igmp filter 1
08-03-2015 04:38 AM
Hello,
Is that the complete configuration of the Gi1/0/2 port? It is missing the switchport port-security command to actually activate the port security. In addition, you are saying that the port security appears to block all traffic. However, I see no switchport port-security violation command, either, in which case the default security violation action is to shutdown the port entirely instead of filtering the traffic. That also does not align with your description of the symptoms.
Best regards,
Peter
08-03-2015 04:56 AM
Hello Peter,
Yes, sorry, you're right, i've mistaken when copying the configuration of the port.
The command switchport port-security is well present in the previous release but I was obliged to remove it otherwise the port doesn't transmit traffic. In fact tje port is up but the mac address is not present.
Here below an output of the "show switchport port-security" of the faulty port when the switchport port-security is activated:
In this mode, the port is well up, but the mac address is no more present and my printer is no more accessible. This behaviour didn't occur in the previous release.
Thanks by advance for your responses
Stack1_C67_3_12.39#sh port-security int gi 1/0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0004.0097.411d:129
Security Violation Count : 0
08-04-2015 02:31 PM
Hello,
I apologize for my late response.
Please allow me one more question: In this newest IOS, when you activate the port security on the Gi1/0/2 interface, does it become err-disabled as a result of security violation, or does it stay up even though the printer has no network connectivity?
If the port goes down then we need to focus on the port security behavior. If the port stays up but the printer has not connectivity, it seems to be more related to the 802.1X authentication.
Best regards,
Peter
08-04-2015 10:48 PM
Hello Peter,
No problem. In fact the port state is up. But if the command "switchport port-security" is set on the port, the mac address disappears immediately. As soon as the command is removed, the mac address is restored and the connectivity is back.
Here below the output of few command on the switch:
The port status is as following
Gi1/0/2 Printer connected 129 a-full a-100 10/100/1000BaseTX
The mac-address on the port
Stack1_C67_3_12.39#sh mac address-table int gi 1/0/2
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
The mac as soon as I remove the command port-security
Stack1_C67_3_12.39#sh mac address-table int gi 1/0/2
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
129 0004.0097.411d DYNAMIC Gi1/0/2
Total Mac Addresses for this criterion: 1
Best regards
Gildas
08-04-2015 11:22 PM
Gildas,
Okay, this is becoming more and more strange.
May I ask you to post the output of show run int gi1/0/2 one more time and being very careful not to lose any lines during the copy&paste?
Best regards,
Peter
08-05-2015 12:00 AM
Totally agree with Peter, this is quite strange issue.
So what happens if you connect the printer to any other port?
It looks like kind of buggy behaviour but not quite sure as didnt do complete diagnosis of this issue.
08-05-2015 01:25 AM
Hello,
I don't think that the issue can be linked to the printer or the port because I 've four ports configured on the same way and with the same behaviour.
I need to disable the "portsecurity" on all the port in order to retrieve the mac @
Kind regards
Gildas
09-23-2015 02:28 AM
Hello,
After few weeks of investigation with Cisco TAC, I'm well facing a bug.
Here below the response from Cisco TAC concerning this issue:
Just to let you know, I have talked to dev team and combination of port-security sticky + dot1x is not supported.
I have opened a documentation bug to officially states this:
CSCuw37347 Doc should state that port-security sticky is not supported with dot1x.
Thanks everybody for your support and suggestions
Regards
Gildas
09-23-2015 03:27 AM
Hello Gildas,
Thanks for updating us with this information!
However, I strongly dislike the resolution suggested by TAC - to change the documentation so that it explicitly states that the combination of Port Security Sticky Secure Address and 802.1X authentication is not supported.
In your own words, this combination worked nicely for you in older IOS but does not work anymore in the new IOS. So this is not a documentation error, rather, this is an IOS regression. I would not personally let the TAC get away from this case so easily. They should fix the IOS so that the combination works again, rather than leave it broken and have the documentation updated to cover their inability or unwillingness to solve the real issue.
Best regards,
Peter
08-05-2015 01:21 AM
Hello Peter,
Hereby the output of the requested command:
interface GigabitEthernet1/0/2
description Printer
switchport mode access
switchport nonegotiate
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0004.0097.411d
switchport port-security
authentication event no-response action authorize vlan 129
authentication port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 2
storm-control broadcast level 20.00
storm-control action shutdown
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip igmp filter 1
end
08-05-2015 01:37 AM
Hi Gildas,
I see nothing wrong with your configuration. Your observation that the MAC address does not appear in the MAC address table when the port security is activated is truly strange - it should have been present as a static MAC address in the table.
Let's do one experiment: Instead of declaring that MAC address as sticky, configure it as a static secure address right away. Please paste the following commands to your configuration:
interface Gi1/0/2 no switchport port-security no switchport port-security mac-address sticky 0004.0097.411d no switchport port-security mac-address sticky switchport port-security mac-address 0004.0097.411d switchport port-security end
This will stop the sticky address learning, remove the sticky secure MAC address, replace it with a static secure MAC address, and reactivate the port security. Would this help? Please also check the MAC address table after this change.
Best regards,
Peter
08-05-2015 01:57 AM
Hello Peter,
Big thanks for your interest in my issue and your proposal.
I found a workaround which is a mix of your proposal.
I applied your commands but it hasn't fix the issue, the mac @ was still missing. After that I removed the command "switchport port-security mac-address 0004.0097.411d" and applied again the command "switchport port-security mac-address sticky".
The sticky function learned again the mac and the mac is well present on the port. The printer works again with the initial configuartion. But it sounds like a bug in the ios and this way remains a workaround.
I can't find a such issue related in the release notes or in the cisco bug tool. I think I'm going to open a case to my cisco support and I'll keep you in touch if a solution is given.
Thanks for the support
Best regards
Gildas
08-05-2015 02:02 AM
Hi Gildas,
You are welcome. This indeed looks like a bug. Please open a TAC case if that is possible. You can create a TAC case directly from this thread - at the top right of the page, there should be a link for it - or at least let the TAC engineer know about this thread, as it already contains a wealth of information about your issue.
Please keep me informed.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide