Re: Port Security Features blocks traffic on Private VLAN

Netmart · ‎04-04-2020

Hello,

As soon as I enable port security on ports configured for Private VLAN [Isolated and Community] I am not able to reach those nodes anymore.

According to show interfaces, ports those ports are still up and port security was not triggered.

vlan 2
name ank_vlan2
private-vlan primary
private-vlan association 11-12
!
vlan 11
private-vlan isolated
!
vlan 12
private-vlan community
lldp run

:

interface GigabitEthernet0/3
description To client 2 in Community VLAN

switchport port-security maximum 1
switchport port-security violation protect
switchport port-security mac-address sticky

switchport private-vlan host-association 2 12
switchport mode private-vlan host

switchport port-security maximum 1
switchport port-security violation protect
switchport port-security mac-address sticky

media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
!
interface GigabitEthernet1/0
description To client 3 in Community VLAN
switchport private-vlan host-association 2 12
switchport mode private-vlan host
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable

version: Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Version 15.2(CML_NIGHTLY_20180619)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to V152_6_0_81_E

Please advise.

Thanks,

Netmart

marce1000 · ‎04-05-2020

- Check if there is anything in the logs if a port becomes configured accordingly (show logging). 2) From where are you trying to reach those nodes ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Cristian Matei · ‎04-05-2020

Hi,

Can you configure violation as the default of "shutdown", and "shut/no shut" the port to confirm there is no violation getting triggered? Can you also post the output of "show spanning-tree interface GigabitEthernet0/3".

Regards,

Cristian Matei.

Netmart · ‎04-05-2020

Hello Cristian, marce1000

As soon as I apply port security at one of the ports, which are part of a Secondary VLAN, this host at this port is not reachable anymore. Bouncing the port didn't help either. I also change port-security violation type - still the same.

Therefore I begin to wonder, if it is a bug(?)

interface GigabitEthernet0/3
description To client 2 in Community VLAN
switchport private-vlan host-association 2 12
switchport mode private-vlan host
switchport port-security mac-address sticky
switchport port-security
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable

And this host cannot ping anything anymore even members of the same community.

Check the hosts arp table [10.4.1.0 is the segment of primary vlan]

$ arp
Address HWtype HWaddress Flags Mask Iface
10.4.1.1 (incomplete) eth1
10.4.1.3 (incomplete) eth1

No port violation occurred:

sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)

Port is up:

sh int gigabitEthernet 0/3
GigabitEthernet0/3 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3e00.9100 (bia fa16.3e00.9100)
Description: To client 2 in Community VLAN
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 249/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto Duplex, Auto Speed, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:00:48
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10 packets input, 600 bytes, 0 no buffer
Received 9 broadcasts (9 multicasts)
9 runts, 0 giants, 0 throttles
9 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 9 multicast, 0 pause input
29 packets output, 1890 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

---------------------------------------------------------------------------
Gi0/3 1 0 0 Shutdown

And nothing in logging does indicate a block or shut down
---------------------------------------------------------------------------

team4-switch#sh int gigabitEthernet 0/3 switchport
Name: Gi0/3
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 2 (ank_vlan2) 12 (VLAN0012)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
2 (ank_vlan2) 12 (VLAN0012)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Appliance trust: none

Netmart · ‎04-05-2020

One more info running a port security debug.

When I enable port security I get this in the log:

Apr 5 17:47:26.459: PSECURE: port_deactivate: port status is 0
Apr 5 17:47:26.460: PSECURE: psecure_clear_ha_table: called
Apr 5 17:47:47.827: PSECURE: psecure_activate_port_security: Activating port-security feature
Apr 5 17:47:47.827: PSECURE: port_activate: status is 1
Apr 5 17:47:47.827: PSECURE: psecure_activate_port_security: set psec ask handler on interface Gi0/3
Apr 5 17:47:47.827: PSECURE: psecure_clear_ha_table: called
Apr 5 17:47:47.828: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables.
Apr 5 17:47:47.828: PSECURE: psecure_is_trunk_port: Gi0/3 is not a trunk port
Apr 5 17:47:47.828: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1
Apr 5 17:47:48.352: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/3 mac_addr = fa16.3e82.bd0e vlanid = 2
Apr 5 17:47:49.370: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/3 mac_addr = fa16.3e82.bd0e vlanid = 2
Apr 5 17:47:50.398: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/3 mac_addr = fa16.3e82.bd0e vlanid = 2
Apr 5 17:47:51.419: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet0/3 mac_addr = fa16.3e82.bd0e vlanid = 2

Cristian Matei · ‎04-06-2020

Hi,

This isn't a physical device, is it? Can you try running a different version?

Regards,

Cristian Matei.

paul driver · ‎04-06-2020

Hello

Try clearing the interface

sh port-security interface x

clear port-security interface x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

marce1000 · ‎04-06-2020

- If problem persists also post the output of show interface x switchport

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Netmart · ‎04-06-2020

Hello,

Thank you all for your feed back.

Packet counter revealed that as soon as port-security is enabled, port is sending packets, but does not receive packets anymore from client.

vios_l2 Software (vios_l2-ADVENTERPRISEK9-M)

Port is up and port sec is enabled

debug portsec:

psecure_platform_delete_all_addrs: deleting all addresses

===============

Apr 7 01:02:01.492: PSECURE: psecure_activate_port_security: Activating port-security feature

Apr 7 01:02:01.493: PSECURE: port_activate: status is 1

Apr 7 01:02:01.493: PSECURE: psecure_activate_port_security: set psec ask handler on interface Gi1/0

Apr 7 01:02:01.493: PSECURE: psecure_clear_ha_table: called

Apr 7 01:02:01.493: PSECURE: psecure_activate_port_security: Deleting all dynamic addresses from h/w tables.

Apr 7 01:02:01.493: PSECURE: psecure_is_trunk_port: Gi1/0 is not a trunk port

Apr 7 01:02:01.493: PSECURE: psecure_platform_delete_all_addrs: deleting all addresses on vlan 1

Apr 7 01:02:31.196: PSECURE: unix_l2_process_psecure_pak: swidb = GigabitEthernet1/0 mac_addr = fa16.3e19.1773 vlanid = 2

Apr 7 01:02:56.555: PSECURE: psecure_delete_address_not_ok address <2,fa16.3e19.1773> allowed

==============================================

interface GigabitEthernet1/0
switchport private-vlan host-association 2 12
switchport mode private-vlan host
switchport port-security
ip arp inspection limit rate 100
media-type rj45
negotiation auto
no lldp transmit
no lldp receive
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 5

===============

switch#sh int switchport module 1 | b 1/0

Name: Gi1/0

Switchport: Enabled

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 2 (ank_vlan2) 12 (Community)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan:

2 (ank_vlan2) 12 (Community)

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Appliance trust: none

====================================

clearing port-security interface is not support in this version(!)

switch#sh port-security interface gigabitEthernet 1/0

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : fa16.3e19.1773:2

Security Violation Count : 0

! Port-security output - current mac-address count is0

switch#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Gi1/0 1 0 0 Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 4096

Cristian Matei · ‎04-08-2020

Try using a different SW version.

Regards,

Cristian Matei.