01-18-2016 01:40 AM - edited 03-08-2019 03:26 AM
Hi all,
Appreciate your help on this.
We recently had few issues with same MAC address learnt in 2 interfaces where port security is enabled.
There are few things I would like to understand.
1. On a access switch WS-C3650-48PD when I execute show mac-address-table aging-time command it gives below output. I know 300 is the default mac address ageing time.
access-switch#show mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
But on one of the core switch it was showing a value 15000 along with 300.
Core-switch#show mac-address-table aging-time
Vlan Aging Time
---- ----------
Global 15000
no vlan age other than global age configured
Routed MAC aging time: 300 seconds
What is the significance of 15000, here?
2. Also on a edge port configured with port-security, I know that mac address will be learned dynamically but will be marked as static. How long this static entry will remain there?
Solved! Go to Solution.
01-18-2016 02:29 AM
Hey core switches like 6500s keep the mac entries much longer than access switches so default is usually around 14400, you wouldn't want an access switch to keep it that long
MAC address aging is globally configurable and also separately configurable on each VLAN. To configure MAC address aging time:
(config)# mac-address-table aging-time 14400 [vlan vlan_id]
Routed macs are macs learned to ip l3, switch checks these by icmp to each node to see if still valid timer for these is only 300
your second question depends how you have the port-security conditions set on the interface
01-18-2016 02:29 AM
Hey core switches like 6500s keep the mac entries much longer than access switches so default is usually around 14400, you wouldn't want an access switch to keep it that long
MAC address aging is globally configurable and also separately configurable on each VLAN. To configure MAC address aging time:
(config)# mac-address-table aging-time 14400 [vlan vlan_id]
Routed macs are macs learned to ip l3, switch checks these by icmp to each node to see if still valid timer for these is only 300
your second question depends how you have the port-security conditions set on the interface
01-18-2016 03:12 AM
Thanks a lot Mark for the response.
We recently had an issue with same mac address learnt in 2 edge ports on 2 different switches connecting to same core switches. We completely lost connection to that critical device.
Both the edge ports are configured with ageing time 1 minute. The site confirmed that there was no re-patching of the device. Even if there was any re-patch, I would expect after 1 minutes the mac would clear from the previous interface. Is it caused by Cisco bug?
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
01-18-2016 03:56 AM
Hi just because a mac was learnt in by 2 different ports on same device should not take it offline , I would have thought the timer may reset but that's about it , macs will often be learnt in by more than one port as they can be broadcast out and there may be multiple uplinks on the switches
If your saying you had 2 different edge access port that are not operating as trunks but as individual devices with same mac address attached then you had some form of duplication issue and that may well have taken it offline
clearing the arp for the particular ip associated with the mac and bouncing the ports can usually clear something like that unless someone has manually programmed a static incorrectly somewhere it will keep occurring
did you check the ARP table for that mac when the issue was occurring did it have multiple ips associated ?
01-18-2016 04:19 AM
Hi Mark,
my case is the below
"If your saying you had 2 different edge access port that are not operating as trunks but as individual devices with same mac address attached then you had some form of duplication issue and that may well have taken it offline"
We have been noticing some issues with a site having few critical devices. During the last occurrence we noticed that the device was pingable only from one of the core switch. Not from the other core switch which was HSRP active that point.
mac address duplication is very unlikely. and that to devices with same mac ending up at same site.
Nope, I could not check the ARP entry that time. I was trying to clear the MAC entry from the wrong edge port and issue resolved as soon as it was done!
01-18-2016 05:11 AM
Hi sorry what I meant was ip duplication for that particular mac address , if the ip is attached to that mac by dhcp and someone has also statically assigned it to device causing duplication and mac been seen as if its originating from 2 places due to the incorrect config at network layer like below extract had an issue like it other day
sw-core#sh ip arp 189.x.x.142
Protocol Address Age (min) Hardware Addr Type Interface
Internet 189.x.x.x.x 18 ecf4.bb3c.55a8 ARPA Vlan1
sw-edinburgh#sh ip arp 189.x.x.159
Protocol Address Age (min) Hardware Addr Type Interface
Internet 189.x.x.159 0 ecf4.bb3c.55a8 ARPA Vlan1
01-18-2016 07:11 AM
Yes, this looks like 2 different IPs recorded against same MAC addresses in ARP table.
In my case same MAC was seen on 2 different edge ports on 2 different access switches.
01-18-2016 05:20 AM
Are these hosts connected through an IP phone? If so, you can get problems with port security when you move the host. The original port is kept "up" by the phone, and so the security entry is not cleared down until is ages out. When you plug the host into the new port you get that ambiguity, and likely an err-disable.
For the same reason it is not a good idea to put port security on a distribution switch. Port security should be on the edge ports only.
Kevin
01-18-2016 07:14 AM
Hi Kevin,
The hosts are not connected through IP phones. They are like huge devices used for conveyor belts. But they are definitely connected to access layer switches with port-security on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide