09-03-2015 04:26 AM - edited 03-08-2019 01:37 AM
Hi,
i tried to drill down a Problem with this message in the logs:
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: Packet received with invalid source MAC address ( [mac-addr] ) on port [char] in vlan [dec]
I found the access port from where these invalid mac addresses were seen. In another posting i found, that configuring a "switchport port-security limit rate invalid-source-mac" on the affected port would filter out that kind of traffic.
I was wondering, what steps are really neccessary to configure the rate limit for invalid source mac addresse. Is it just as simple as one config line like
switchport port-security limit rate invalid-source-mac 20
or do i need to configure the whole thing:
switchport port-security switchport port-security maximum 25 switchport port-security limit rate invalid-source-mac 20 switchport port-security violation restrict switchport port-security aging time 1
While experimenting with port-security commands, i found out, that my configured limit suddenly disappears in the config. I remembered the "sh run all" command. Please have a look:
My switchport config
r6s1a#sh run int gi3/22 Building configuration... Current configuration : 307 bytes ! interface GigabitEthernet3/22 switchport access vlan 556 switchport mode access snmp trap mac-notification change added snmp trap mac-notification change removed storm-control broadcast level 1.00 no cdp enable spanning-tree portfast end
or with all Defaults shown:
r6s1a#sh run all | section interface GigabitEthernet3/22 interface GigabitEthernet3/22 switchport switchport access vlan 556 switchport private-vlan trunk encapsulation dot1q switchport private-vlan trunk native vlan tag switchport mode access no switchport nonegotiate no switchport protected no switchport block multicast no switchport block unicast switchport port-security maximum 65535 vlan voice switchport port-security limit rate invalid-source-mac 10 # The "limit" is already configured by default! no switchport port-security mac-address sticky no ip arp inspection trust ip arp inspection limit rate 15 burst interval 1 ip arp inspection limit rate 15 load-interval 300 carrier-delay 2 no shutdown snmp trap mac-notification change added snmp trap mac-notification change removed snmp trap link-status no onep application openflow exclusive storm-control broadcast level 1.00 no cdp enable arp arpa arp timeout 14400 spanning-tree portfast disable spanning-tree portfast trunk spanning-tree portfast spanning-tree port-priority 128 spanning-tree cost 0 ip igmp snooping tcn flood
Then i issued on gi3/22:
r6s1a(config-if)#switchport port-security limit rate invalid-source-mac 20
which led to a nice
r6s1a#sh run all | section interface GigabitEthernet3/22 interface GigabitEthernet3/22 switchport switchport access vlan 556 switchport private-vlan trunk encapsulation dot1q switchport private-vlan trunk native vlan tag switchport mode access no switchport nonegotiate no switchport protected no switchport block multicast no switchport block unicast switchport port-security maximum 65535 vlan voice switchport port-security limit rate invalid-source-mac 20 # As expected :-) no switchport port-security mac-address sticky no ip arp inspection trust ip arp inspection limit rate 15 burst interval 1 ip arp inspection limit rate 15 load-interval 300 carrier-delay 2 no shutdown snmp trap mac-notification change added snmp trap mac-notification change removed snmp trap link-status no onep application openflow exclusive storm-control broadcast level 1.00 no cdp enable arp arpa arp timeout 14400 spanning-tree portfast disable spanning-tree portfast trunk spanning-tree portfast spanning-tree port-priority 128 spanning-tree cost 0 ip igmp snooping tcn flood
which is seen in the normal config as expected:
r6s1a#sh run int gi3/22
Building configuration...
Current configuration : 307 bytes
!
interface GigabitEthernet3/22
switchport access vlan 556
switchport mode access
switchport port-security limit rate invalid-source-mac 20
snmp trap mac-notification change added
snmp trap mac-notification change removed
storm-control broadcast level 1.00
no cdp enable
spanning-tree portfast
end
then i issued on gi3/22 a
r6s1a(config-if)#no switchport port-security
which should result back to the default config, as i had understood, but it doesn't:
r6s1a#sh run int gi3/22 Building configuration... Current configuration : 248 bytes ! interface GigabitEthernet3/22 switchport access vlan 556 switchport mode access snmp trap mac-notification change added snmp trap mac-notification change removed storm-control broadcast level 1.00 no cdp enable spanning-tree portfast end r6s1a#sh run all | section interface GigabitEthernet3/22 interface GigabitEthernet3/22 switchport switchport access vlan 556 switchport private-vlan trunk encapsulation dot1q switchport private-vlan trunk native vlan tag switchport mode access no switchport nonegotiate no switchport protected no switchport block multicast no switchport block unicast switchport port-security maximum 65535 vlan voice # I would expect the limit-rate-config-line here no switchport port-security mac-address sticky # I would expect the limit-rate-config-line here no ip arp inspection trust ip arp inspection limit rate 15 burst interval 1 ip arp inspection limit rate 15 load-interval 300 carrier-delay 2 no shutdown snmp trap mac-notification change added snmp trap mac-notification change removed snmp trap link-status no onep application openflow exclusive storm-control broadcast level 1.00 no cdp enable arp arpa arp timeout 14400 spanning-tree portfast disable spanning-tree portfast trunk spanning-tree portfast spanning-tree port-priority 128 spanning-tree cost 0 ip igmp snooping tcn flood
i added the "missing Default config line" by Hand, but it does not show up.
r6s1a(config-if)#switchport port-security limit rate invalid-source-mac 10 r6s1a#sh run all | section interface GigabitEthernet3/22 interface GigabitEthernet3/22 switchport switchport access vlan 556 switchport private-vlan trunk encapsulation dot1q switchport private-vlan trunk native vlan tag switchport mode access no switchport nonegotiate no switchport protected no switchport block multicast no switchport block unicast switchport port-security maximum 65535 vlan voice # I would expect the limit-rate-config-line here no switchport port-security mac-address sticky # I would expect the limit-rate-config-line here no ip arp inspection trust ip arp inspection limit rate 15 burst interval 1 ip arp inspection limit rate 15 load-interval 300 carrier-delay 2 no shutdown snmp trap mac-notification change added snmp trap mac-notification change removed snmp trap link-status no onep application openflow exclusive storm-control broadcast level 1.00 no cdp enable arp arpa arp timeout 14400 spanning-tree portfast disable spanning-tree portfast trunk spanning-tree portfast spanning-tree port-priority 128 spanning-tree cost 0 ip igmp snooping tcn flood
How does it come? Bug or Feature? What steps are neccessary to configure a proper limit for unknown source mac addresses on a port?
The Switch is a WS-C4510R+E with Software cat4500e-universalk9.SPA.03.07.00.E.152-3.E.bin
11-26-2015 06:08 AM
Hi Mark,
This is old, but i just happened to be playing with this today.
After you disable port-security, you wont be able to configure the limit rate for invalid mac (or the max mac-address for example) because those are "port security features" if we want to call them like that.
For example, if you disable spanning-tree on the switch, bpduguard on a port wont do anything as you have disabled the spanning-tree feature, same case here.
In order to enable the limit rate for invalid mac packets, you HAVE to enable the port-security and then modified the defaults to fit your needs, the port-security defaults (that cannot be removed, just modified to fit you, are:)
switchport port-security maximum 1
switchport port-security aging time 0
switchport port-security violation shutdown
switchport port-security aging type absolute
switchport port-security limit rate invalid-source-mac 10
So if you want 0 packets with invalid soure, and 20 macs, you could configure:
switchport port-security maximum 20
switchport port-security limit rate invalid-source-mac none
And so on...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide