Port-Security issue, unexpected behavior

CGirouard · ‎12-03-2020

Issue:

When port security is enabled, no traffic is being passed from single device (no other devices connected). As soon as port security is disabled, traffic flows properly.

Port configuration as follows:

interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end

Switch#show port-security interface gig 3/0/21
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 50
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : b00c.d136.fa81:131
Security Violation Count : 25

So if there are no mac addresses, why am I still seeing violations?

MAC address connected to the port is b00c.d136.fa81

Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Doesn't show up on any interfaces.

Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Doesn't show up on the interface in question.

But, if I disable port security on that port using a "no switchport port-security" resulting in the following:

interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end

Packets are flowing again.

Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1

Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1

Any ideas why this would be taking place?

It's just a single laptop connected to a single port.

Previously (last week) this port was connected to a dumb switch. It was looped on our network by mistake (two Cisco interfaces going to two dumb switchports), but the interfaces in question, including this one Gi3/0/21, have been shut/no shut a few times since. Also cleared out all addresses for that interface using the clear port-security command.

What I can't tell is WHY this interface in violation. Aging is set, max MAC's is 50 even though this interface only has 1 MAC.... Just not sure. I'm usually a Juniper person, so Cisco has me scratching my head for cases like this.

Any help is appreciated.

Reza Sharifi · ‎12-03-2020

Hi,

Can you change the aging time to a different number?

switchport port-security aging time 1

to

switchport port-security aging time 5

and test again?

HTH

paul driver · ‎12-03-2020

Hello

Default that port and reaplly the configuration.

conf t
default interface gig 3/0/21
int gig 3/0/21
shut
switchport host
switchport access vlan 131
switchport voice vlan 41
switchport port-security
switchport port-security aging type inactivity
switchport port-security violation restrict
ip dhcp snooping limit rate 15
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
no shut

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-03-2020

Defaulted it out.

Ran commands as you specified. Disabled/re-enabled interface on PC. Still no received packets.

Then disabled port security:

config t

int gig 3/0/21

no switchport port-security

end

Disabled/re-enabled interface on PC, get's IP instantly, packets flowing freely.

Is there a way to tell what the violations are on a port?

paul driver · ‎12-03-2020

Hello

Can you test on a different port (same config) or with a different host and port

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-03-2020

Same behavior on two different ports (3/0/21 and 3/0/22) with a number of different devices.

This is a production switch, so 3/0/22 is plugged into a dumb switch (no longer looped) with port security disabled to keep the systems up and running. 3/0/21 was an open port next to it with identical config exhibiting identical behavior. The on site tech has tried switching from one to the other a few times in an effort to troubleshoot this issue.

I had him bring a laptop down to the networking closet to plug into one of these troublesome ports so I could continue to troubleshoot while having a non-production device go up and down.

paul driver · ‎12-03-2020

Okay

Possible software bug - Here
Symptom:
When port security is enabled on a port traffic inbound on that port may cease to be forwarded by
the switch and the source MAC address for the traffic is not learned in the switch's MAC address
forwarding table. The result is connectivity problems for the device(s) on that port.

Workaround: Disabled port security on the port

Try upgrading the switch IOS

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-03-2020

Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX3, RELEASE SOFTWARE (fc1)

Unfortunately that bug doesn't look like it applies here.

paul driver · ‎12-03-2020

Apologies posted the wrong bug, the edited link / bug just states no workaround and suggest ios upgrade

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-03-2020

That particular bug is in the 8.x range of software, we're in 15.x.

I really wish Cisco would put in some sort of information in that bug report to show what version software this bug is resolved in. I'd hate to go through all the downtime of upgrading only to have it still be an issue.

paul driver · ‎12-03-2020

Hello

Understand what your saying, it could be this hasn't been reported for that ios train it has been known to happen.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-03-2020

Thank you for the insight.

As I said, this is my first real head scratcher in Cisco land, so I'm new to not only the hardware, but the company itself. Knowing that others experience similar things is helpful.

MHM Cisco World · ‎12-03-2020

do show port-security address

I think this MAC is know by other port.

the static vs dynamic the static don't effect by aging time.

check table and if you can show me it

CGirouard · ‎12-03-2020

The MAC address in question (b00c.d136.fa81) never shows up on the table once security is enabled on that port.

---- ----------- ---- ----- -------------
131 300e.d50f.040e SecureDynamic Gi1/0/1 1 (I)
41 f0b2.e576.7904 SecureDynamic Gi1/0/2 1 (I)
131 40b0.34f3.a932 SecureDynamic Gi1/0/2 1 (I)
41 f0b2.e577.224b SecureDynamic Gi1/0/6 1 (I)
131 9c7b.efbd.3d73 SecureDynamic Gi1/0/6 1 (I)
41 6cfa.8902.e30c SecureDynamic Gi1/0/7 1 (I)
131 9c7b.efbd.33fe SecureDynamic Gi1/0/7 1 (I)
41 0008.2f1b.e152 SecureDynamic Gi1/0/9 1 (I)
131 9c7b.efbd.ddd2 SecureDynamic Gi1/0/9 1 (I)
131 d43d.7ea7.4edc SecureDynamic Gi1/0/10 1 (I)
41 6cfa.8902.e3cc SecureDynamic Gi1/0/11 1 (I)
131 7427.ea6f.e8da SecureDynamic Gi1/0/11 1 (I)
131 0021.b7a7.8ce7 SecureDynamic Gi1/0/13 1 (I)
41 6cfa.8902.e589 SecureDynamic Gi1/0/14 1 (I)
131 70f3.9500.0c25 SecureDynamic Gi1/0/15 1 (I)
41 6cfa.8902.9728 SecureDynamic Gi1/0/16 1 (I)
131 3860.77a3.ccab SecureDynamic Gi1/0/17 1 (I)
131 10fe.ed02.193a SecureDynamic Gi1/0/18 1 (I)
41 0008.2f1b.ef5d SecureDynamic Gi1/0/19 1 (I)
131 9c7b.efbd.9e26 SecureDynamic Gi1/0/19 1 (I)
131 6805.cab3.a565 SecureDynamic Gi1/0/22 1 (I)
131 300e.d50f.0558 SecureDynamic Gi1/0/24 1 (I)
131 0007.4d22.6b7a SecureDynamic Gi1/0/25 1 (I)
131 0021.b707.ce73 SecureDynamic Gi1/0/26 1 (I)
41 00a3.d1e6.fb94 SecureDynamic Gi1/0/27 1 (I)
131 48ba.4eec.46f9 SecureDynamic Gi1/0/27 1 (I)
41 5067.aee0.9eef SecureDynamic Gi1/0/28 1 (I)
131 eca8.6b2c.24b1 SecureDynamic Gi1/0/28 1 (I)
131 eca8.6b2c.23a8 SecureDynamic Gi1/0/29 1 (I)
41 f0b2.e577.223e SecureDynamic Gi1/0/31 1 (I)
131 9c7b.efbd.660a SecureDynamic Gi1/0/31 1 (I)
41 f0b2.e577.2239 SecureDynamic Gi1/0/33 1 (I)
131 e8d8.d172.a7ca SecureDynamic Gi1/0/33 1 (I)
131 4ccc.6a39.5a47 SecureDynamic Gi1/0/34 1 (I)
41 0008.2f1b.e4c6 SecureDynamic Gi1/0/35 1 (I)
41 6cfa.8902.97c7 SecureDynamic Gi1/0/36 1 (I)
131 80ce.62a1.4640 SecureDynamic Gi1/0/36 1 (I)
131 00c0.ee95.b3c8 SecureDynamic Gi1/0/37 1 (I)
131 0021.b7cf.d800 SecureDynamic Gi1/0/40 1 (I)
41 5067.aee0.a366 SecureDynamic Gi1/0/41 < 1 (I)
131 eca8.6b3d.ccf4 SecureDynamic Gi1/0/41 1 (I)
131 d43d.7e41.6a04 SecureDynamic Gi1/0/42 1 (I)
41 3462.88da.6239 SecureDynamic Gi1/0/43 1 (I)
131 eca8.6b3d.cd1f SecureDynamic Gi1/0/43 1 (I)
131 0021.b7cb.1970 SecureDynamic Gi1/0/45 1 (I)
131 eca8.6b2c.3ac0 SecureDynamic Gi1/0/47 1 (I)
41 f0b2.e576.6d40 SecureDynamic Gi2/0/2 < 1 (I)
131 e8d8.d171.8a76 SecureDynamic Gi2/0/2 1 (I)
131 300e.d50f.a87c SecureDynamic Gi2/0/4 1 (I)
41 6cfa.8902.e341 SecureDynamic Gi2/0/5 1 (I)
131 9c7b.efbd.e0ba SecureDynamic Gi2/0/5 1 (I)
131 300e.d50f.e99c SecureDynamic Gi2/0/6 1 (I)
41 f0b2.e576.6bf1 SecureDynamic Gi2/0/7 < 1 (I)
131 9c7b.efbd.d945 SecureDynamic Gi2/0/7 1 (I)
41 5067.aee0.9b72 SecureDynamic Gi2/0/9 1 (I)
131 d43d.7e43.5e3b SecureDynamic Gi2/0/10 1 (I)
41 6cfa.8902.9741 SecureDynamic Gi2/0/11 1 (I)
41 547c.69d7.b705 SecureDynamic Gi2/0/13 < 1 (I)
131 7427.ea6c.e6d2 SecureDynamic Gi2/0/13 1 (I)
131 c8d3.ff8a.c105 SecureDynamic Gi2/0/14 < 1 (I)
41 0008.2f1b.e190 SecureDynamic Gi2/0/16 1 (I)
131 9c7b.efbd.f409 SecureDynamic Gi2/0/16 1 (I)
41 6cfa.8902.980d SecureDynamic Gi2/0/18 1 (I)
131 7427.ea6c.e28a SecureDynamic Gi2/0/18 1 (I)
41 0008.2f1b.e111 SecureDynamic Gi2/0/19 < 1 (I)
131 84a9.3e80.9e66 SecureDynamic Gi2/0/19 1 (I)
131 74e6.e2e3.f473 SecureDynamic Gi2/0/21 1 (I)
41 00a3.d1e7.079b SecureDynamic Gi2/0/23 < 1 (I)
131 d89e.f334.e14b SecureDynamic Gi2/0/25 1 (I)
131 58f3.9ce0.e800 SecureDynamic Gi2/0/26 1 (I)
41 5067.ae20.260b SecureDynamic Gi2/0/27 1 (I)
131 0023.24bd.da58 SecureDynamic Gi2/0/27 1 (I)
131 f439.096d.5011 SecureDynamic Gi2/0/29 1 (I)
131 f48e.38da.0ff5 SecureDynamic Gi2/0/30 1 (I)
41 6cfa.8902.97ef SecureDynamic Gi2/0/31 1 (I)
131 4437.e6dc.2df3 SecureDynamic Gi2/0/31 1 (I)
41 f0b2.e576.a41a SecureDynamic Gi2/0/32 1 (I)
131 7cd3.0a21.bc1b SecureDynamic Gi2/0/32 1 (I)
41 f078.16a2.1aad SecureDynamic Gi2/0/33 < 1 (I)
41 6cfa.8902.e3c7 SecureDynamic Gi2/0/34 1 (I)
131 7427.ea6f.e24d SecureDynamic Gi2/0/34 1 (I)
41 6cfa.8902.9669 SecureDynamic Gi2/0/35 1 (I)
131 70f3.9500.086f SecureDynamic Gi2/0/35 1 (I)
41 5067.aee0.9e9f SecureDynamic Gi2/0/36 < 1 (I)
131 58f3.9ce0.e638 SecureDynamic Gi2/0/43 1 (I)
131 0023.ae84.51dc SecureDynamic Gi2/0/45 1 (I)
803 0c11.6703.2419 SecureDynamic Gi3/0/1 1 (I)
131 f4a9.97bd.050d SecureDynamic Gi3/0/3 1 (I)
131 384b.76f0.b1c6 SecureDynamic Gi3/0/6 1 (I)
41 5067.ae20.255d SecureDynamic Gi3/0/7 < 1 (I)
131 7cd3.0a23.f6c2 SecureDynamic Gi3/0/7 1 (I)
131 8c89.a5d4.f08d SecureDynamic Gi3/0/7 1 (I)
131 0007.4d43.27dd SecureDynamic Gi3/0/8 < 1 (I)
131 300e.d5bc.3bae SecureDynamic Gi3/0/11 1 (I)
131 0021.b71e.07fb SecureDynamic Gi3/0/12 1 (I)
131 eca8.6b3d.cd2b SecureDynamic Gi3/0/14 1 (I)
131 6805.cac1.5baa SecureDynamic Gi3/0/16 1 (I)
131 4437.e64a.0453 SecureDynamic Gi3/0/17 1 (I)
131 0021.b7ef.a08f SecureDynamic Gi3/0/18 1 (I)
131 300e.d50f.e80c SecureDynamic Gi3/0/19 1 (I)
131 eca8.6b3d.cc97 SecureDynamic Gi3/0/20 1 (I)
131 d43d.7e61.fc24 SecureDynamic Gi3/0/27 1 (I)
131 0021.b7af.ece5 SecureDynamic Gi3/0/28 < 1 (I)
131 eca8.6b3e.7716 SecureDynamic Gi3/0/29 1 (I)
131 0021.b72e.f905 SecureDynamic Gi3/0/30 1 (I)
131 0021.b7af.ec19 SecureDynamic Gi3/0/31 1 (I)
131 0021.b73e.ca1e SecureDynamic Gi3/0/32 1 (I)
131 8c89.a5eb.ad43 SecureDynamic Gi3/0/33 1 (I)
131 300e.d50f.0454 SecureDynamic Gi3/0/34 1 (I)
41 6cfa.8902.e376 SecureDynamic Gi3/0/35 1 (I)
131 9c7b.efbd.614f SecureDynamic Gi3/0/35 1 (I)
131 4ccc.6a39.5df7 SecureDynamic Gi3/0/36 1 (I)
131 dca6.3260.07f3 SecureDynamic Gi3/0/43 1 (I)
131 74fe.482e.2d25 SecureDynamic Gi3/0/47 1 (I)
131 f439.0909.f216 SecureDynamic Gi3/0/48 1 (I)
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 28
Max Addresses limit in System (excluding one mac per port) : 16384

MHM Cisco World · ‎12-04-2020

this show port-security address you use it when you able port security in interface or when disable?