cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2549
Views
0
Helpful
1
Replies

Configure switchport port-security limit rate invalid-source-mac

Mark Thomas
Level 1
Level 1

Hi,

i tried to drill down a Problem with this message in the logs:

%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: Packet received with invalid source MAC address ( [mac-addr] ) on port [char] in vlan [dec]

I found the access port from where these invalid mac addresses were seen. In another posting i found, that configuring a "switchport port-security limit rate invalid-source-mac" on the affected port would filter out that kind of traffic.

I was wondering, what steps are really neccessary to configure the rate limit for invalid source mac addresse. Is it just as simple as one config line like

switchport port-security limit rate invalid-source-mac 20

or do i need to configure the whole thing:

switchport port-security
switchport port-security maximum 25
switchport port-security limit rate invalid-source-mac 20
switchport port-security violation restrict
switchport port-security aging time 1

While experimenting with port-security commands, i found out, that my configured limit suddenly disappears in the config. I remembered the "sh run all" command. Please have a look:

My switchport config

r6s1a#sh run int gi3/22
Building configuration...

Current configuration : 307 bytes
!
interface GigabitEthernet3/22
 switchport access vlan 556
 switchport mode access
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 storm-control broadcast level 1.00
 no cdp enable
 spanning-tree portfast
end

 

or with all Defaults shown:

 

r6s1a#sh run all | section interface GigabitEthernet3/22
interface GigabitEthernet3/22
 switchport
 switchport access vlan 556
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 65535 vlan voice
 switchport port-security limit rate invalid-source-mac 10 # The "limit" is already configured by default!
 no switchport port-security mac-address sticky
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 carrier-delay 2
 no shutdown
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 no onep application openflow exclusive
 storm-control broadcast level 1.00
 no cdp enable
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast trunk
 spanning-tree portfast
 spanning-tree port-priority 128
 spanning-tree cost 0
 ip igmp snooping tcn flood

Then i issued on gi3/22:

r6s1a(config-if)#switchport port-security limit rate invalid-source-mac 20

which led to a nice

r6s1a#sh run all | section interface GigabitEthernet3/22
interface GigabitEthernet3/22
 switchport
 switchport access vlan 556
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 65535 vlan voice
 switchport port-security limit rate invalid-source-mac 20 # As expected :-)
 no switchport port-security mac-address sticky
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 carrier-delay 2
 no shutdown
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 no onep application openflow exclusive
 storm-control broadcast level 1.00
 no cdp enable
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast trunk
 spanning-tree portfast
 spanning-tree port-priority 128
 spanning-tree cost 0
 ip igmp snooping tcn flood

which is seen in the normal config as expected:

r6s1a#sh run int gi3/22
Building configuration...

Current configuration : 307 bytes
!
interface GigabitEthernet3/22
 switchport access vlan 556
 switchport mode access
 switchport port-security limit rate invalid-source-mac 20
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 storm-control broadcast level 1.00
 no cdp enable
 spanning-tree portfast
end

 

then i issued on gi3/22 a

r6s1a(config-if)#no switchport port-security

which should result back to the default config, as i had understood, but it doesn't:

r6s1a#sh run int gi3/22
Building configuration...

Current configuration : 248 bytes
!
interface GigabitEthernet3/22
 switchport access vlan 556
 switchport mode access
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 storm-control broadcast level 1.00
 no cdp enable
 spanning-tree portfast
end

r6s1a#sh run all | section interface GigabitEthernet3/22
interface GigabitEthernet3/22
 switchport
 switchport access vlan 556
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 65535 vlan voice  # I would expect the limit-rate-config-line here
 no switchport port-security mac-address sticky     # I would expect the limit-rate-config-line here 
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 carrier-delay 2
 no shutdown
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 no onep application openflow exclusive
 storm-control broadcast level 1.00
 no cdp enable
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast trunk
 spanning-tree portfast
 spanning-tree port-priority 128
 spanning-tree cost 0
 ip igmp snooping tcn flood

 

i added the "missing Default config line" by Hand, but it does not show up.

r6s1a(config-if)#switchport port-security limit rate invalid-source-mac 10

r6s1a#sh run all | section interface GigabitEthernet3/22
interface GigabitEthernet3/22
 switchport
 switchport access vlan 556
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 65535 vlan voice  # I would expect the limit-rate-config-line here 
 no switchport port-security mac-address sticky     # I would expect the limit-rate-config-line here 
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 carrier-delay 2
 no shutdown
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 no onep application openflow exclusive
 storm-control broadcast level 1.00
 no cdp enable
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast trunk
 spanning-tree portfast
 spanning-tree port-priority 128
 spanning-tree cost 0
 ip igmp snooping tcn flood

How does it come? Bug or Feature? What steps are neccessary to configure a proper limit for unknown source mac addresses on a port?

 

The Switch is a WS-C4510R+E with Software cat4500e-universalk9.SPA.03.07.00.E.152-3.E.bin

 

 

1 Reply 1

eduardopozo56
Level 1
Level 1

Hi Mark,

This is old, but i just happened to be playing with this today.

After you disable port-security, you wont be able to  configure the limit rate for invalid mac (or the max mac-address for example) because those are "port security features" if we want to call them like that. 

For example, if you disable spanning-tree on the switch, bpduguard on a port wont do anything as you have disabled the spanning-tree feature, same case here.

In order to enable the limit rate for invalid mac packets, you HAVE to enable the port-security and then modified the defaults to fit your needs, the port-security defaults (that cannot be removed, just modified to fit you, are:)

switchport port-security maximum 1
switchport port-security aging time 0
switchport port-security violation shutdown
switchport port-security aging type absolute
switchport port-security limit rate invalid-source-mac 10

So if you want 0 packets with invalid soure, and 20 macs, you could configure:

switchport port-security maximum 20

switchport port-security limit rate invalid-source-mac none

And so on...