cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
867
Views
2
Helpful
4
Replies

port-security behavior after moving to a non security port

Hello all,

I would just like to ask, if the described port-secuity behaviour is expected by that feature.

A cisco switch catalyst 9200 or 9300 with IOS-XE 17 (behaviour seen on IOS XE 17.3.5 and 17.6.5). Some ports configured with port-security and some of them - not. All of them are access ports with access vlan1. A client with mac "aaa.aaa.aaa" is connected over a small desktop bridge to a cisco switch port 1 with port-security enabled. The port-security config on port contains also max mac address 100, violation restrict and no aging time. The "show port-security address" and "show mac address table" show both the mac "a.a.a.a" on Port1 and vlan 1. 

After that the client is diconnected from the port 1 and connected to port 2, that does not have port-security config on it. It just has "switchport access vlan1". Because the client was connected to the port 1 over a bridge, the port 1 stays "Up" (brige is still conencted to port 1).  The port-security address table still shows the mac "aaa.aaa.aaa" on port1. The switch mac address table shows the mac "aaa.aaa.aaa" during 5 minutes on port 1 till the mac is aged out. 

Now the mac address forwarding table of the switch does not have the mac address "aaa.aaa.aaa" any more, but the client is connected to port 2 and the port shows status "Up". The client does not have access to the network. The switch logs do not show any security violation entries. But the switch silent does not allow the packets from "aaa.aaa.aaa"on port 2 through. The port-security address table still has the mac "aaa.aaa.aaa" on port 1.

I'm clear, that such configuration does not make much sence, but a customer of us has it and cannot change the config because of internal security policy.

Is it a normal and expected behaviour?

Thanks.

best regards,

1 Accepted Solution

Accepted Solutions

Yes this expected behave, 
I run lab and show you how the R2 can not ping to R1 anymore when R1 change it connect port to SW (it was connect to port with security and move to connect to port without port-security)Screenshot (727).pngScreenshot (728).pngScreenshot (729).png

View solution in original post

4 Replies 4

if you use dynamic port-security learn then use aging for port-security this will clear the mac after predefined time.

Hello,

it is clear, what you wrote about the aging time. The question was, if it is a expected behaviour, that a mac address known on a port with configured with port-security will be blocked on another port of teh same switch, where the port security is not not configured.

Thanks in advance,

Best regards

Yes this expected behave, 
I run lab and show you how the R2 can not ping to R1 anymore when R1 change it connect port to SW (it was connect to port with security and move to connect to port without port-security)Screenshot (727).pngScreenshot (728).pngScreenshot (729).png

Hello

 Any specific restriction from your customer to  not use Aging time? It seems this could  minimize or fix the problem.

mac address-table aging-time [0 | 10-1000000] [routed-mac | vlan vlan-id]

 

Review Cisco Networking for a $25 gift card