Clients are unable to reach DHCP server post enabling port security on Cisco 3750 Switch

ciscoavinash · ‎05-10-2016

Hi Team,

I have three 3750 switches one is of 48 port and other two are 24 port. These three switches are connected in stack.

Master switch is : switch A with 24 port.

We have up link connected to master switch.

Client physical connectivity is from switch to IP phone and from IPhone to system. We have enabled port security on interfaces with mac address sticky command with maximum mac address that can learn as 2. Everything work good initially. Both IP phone and System are getting IP address and network is also up. When they restart the system IP Phone is working but system could able to reach the DHCP server and it is ending up with APIPA IP addres. This is happening for only for 24 port switches. I don't have any issue with 48 port switch.

Configuration when we enable sticky

interface FastEthernet3/0/28
switchport access vlan 30
switchport mode access
switchport voice vlan 200
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1440
switchport port-security mac-address sticky
switchport port-security mac-address sticky 70f3.9512.f57b
switchport port-security mac-address sticky b8be.bf22.1630 vlan voice
storm-control broadcast level 1.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable

If i give no switch port security on that interface or if i do shut and un shut that switch port then system is getting ip address immediately.

Same is working if enable switch port security with out sticky.

interface FastEthernet1/0/3
switchport access vlan 30
switchport mode access
switchport voice vlan 200
switchport port-security maximum 2
switchport port-security aging time 1440
storm-control broadcast level 1.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable

Let me know if anyone have solution for this.

Prabath Godevithanage · ‎05-10-2016

do you see any port security violations when you run "show port-security" or in the logs?

***Please rate all the useful posts***
-Prabath

ciscoavinash · ‎05-11-2016

No, I don't see any Violations . I am getting IP if in shut and unshut the interface.

Mark Malone · ‎05-11-2016

what IOS version are you on

any other switches you can test same config on to rule out the 3750 IOS as the issue , same syntax should be available on most access switches

ciscoavinash · ‎05-11-2016

Hi mark,

3 Switches are in stack. IOS version is same in 3 switches.

IOS version 12.2 ( 50)

In stack for one switch we are seeing this issue.

Mark Malone · ‎05-11-2016

Sorry are you saying you only see it on this stack ?

In stack for one switch we are seeing this issue

You could also use secure static macs with port-security instead of sticky in case its a bug with sticky , basically does the same thing

switchport port-security mac-address 70f3.9512.f57b
switchport port-security mac-address b8be.bf22.1630 vlan voice

Looking at the release notes there is no known bug for what you see but your IOS image is 6 years old , could help to upgrade it , software defects do occur the older they get

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_50_se/release/notes/OL18263.html

Prabath Godevithanage · ‎05-11-2016

check this and this there might be some useful tips there,As Mark mentioned I do suspect this could be a bug as well if it's not the buggy behaviour in CSCta73593

***Please rate all the useful posts***
-Prabath

Mark Malone · ‎05-11-2016

If it is port-security shutting it down you can run this in global config to recover it save you manually bouncing the interface

errdisable recovery cause psecure-violation