12-03-2020 07:32 AM
Issue:
When port security is enabled, no traffic is being passed from single device (no other devices connected). As soon as port security is disabled, traffic flows properly.
Port configuration as follows:
interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end
Switch#show port-security interface gig 3/0/21
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 50
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : b00c.d136.fa81:131
Security Violation Count : 25
So if there are no mac addresses, why am I still seeing violations?
MAC address connected to the port is b00c.d136.fa81
Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Doesn't show up on any interfaces.
Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Doesn't show up on the interface in question.
But, if I disable port security on that port using a "no switchport port-security" resulting in the following:
interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end
Packets are flowing again.
Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1
Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1
Any ideas why this would be taking place?
It's just a single laptop connected to a single port.
Previously (last week) this port was connected to a dumb switch. It was looped on our network by mistake (two Cisco interfaces going to two dumb switchports), but the interfaces in question, including this one Gi3/0/21, have been shut/no shut a few times since. Also cleared out all addresses for that interface using the clear port-security command.
What I can't tell is WHY this interface in violation. Aging is set, max MAC's is 50 even though this interface only has 1 MAC.... Just not sure. I'm usually a Juniper person, so Cisco has me scratching my head for cases like this.
Any help is appreciated.
12-03-2020 12:43 PM
clear port-security dynamic interface x
try this command clear all mac address learn from the previous dump SW and start connect again.
before connect you must not see any MAC in show port-security.
12-03-2020 12:57 PM
Did the "clear port-security dynamic interface gig 3/0/21",
Then a "show port-security interface gig 3/0/21"
Switch#show port-security interface gig 3/0/21
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 50
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : b00c.d136.fa81:131
Security Violation Count : 0
No MAC addresses, no violation count.
Do I need to do anything else before I re-enable the NIC on the client machine to test?
Specifically, what do you mean by "clear all mac address learn from the previous dump SW and start connect again"?
I thought that's what clearing out the addresses via the first command does.
And thank you for the help. I appreciate it.
12-03-2020 02:00 PM - edited 12-03-2020 03:08 PM
Now connect NIC and see if there is different.
What i mean if clear all mac.... is explain why we need clear port secuirty dymainc, we do that to clear all mac learn before from dump sw and start fresh again. The violation happened when mac exceed 50 or mac is different so we clear all and start fresh.
So freind can you connect to see result of this step?
update me last status.
12-04-2020 11:11 AM
Any update friend ?
12-04-2020 12:57 PM
Clearing all the mac's from the port security did not help. Still the same behavior.
12-04-2020 08:10 PM - edited 12-04-2020 08:10 PM
Hello
if you are reluctant to upgrade the switch then how about reloading it and test connection again?
12-07-2020 07:29 AM
This is a production switch in a 24/7 manufacturing facility. I'll need to wait until the holiday shutdown for a reload.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide