Port-Security issue, unexpected behavior - Page 2

CGirouard · ‎12-03-2020

Issue:

When port security is enabled, no traffic is being passed from single device (no other devices connected). As soon as port security is disabled, traffic flows properly.

Port configuration as follows:

interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end

Switch#show port-security interface gig 3/0/21
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 50
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : b00c.d136.fa81:131
Security Violation Count : 25

So if there are no mac addresses, why am I still seeing violations?

MAC address connected to the port is b00c.d136.fa81

Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Doesn't show up on any interfaces.

Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

Doesn't show up on the interface in question.

But, if I disable port security on that port using a "no switchport port-security" resulting in the following:

interface GigabitEthernet3/0/21
description UserPort
switchport access vlan 131
switchport mode access
switchport voice vlan 41
switchport port-security maximum 50
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
power inline auto max 15400
srr-queue bandwidth share 1 30 35 5
priority-queue out
macro description CISCO_CUSTOM_EVENT
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
ip dhcp snooping limit rate 15
end

Packets are flowing again.

Switch#show mac address-table address b00c.d136.fa81
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1

Switch#show mac address-table interface gig 3/0/21
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
131 b00c.d136.fa81 DYNAMIC Gi3/0/21
Total Mac Addresses for this criterion: 1

Any ideas why this would be taking place?

It's just a single laptop connected to a single port.

Previously (last week) this port was connected to a dumb switch. It was looped on our network by mistake (two Cisco interfaces going to two dumb switchports), but the interfaces in question, including this one Gi3/0/21, have been shut/no shut a few times since. Also cleared out all addresses for that interface using the clear port-security command.

What I can't tell is WHY this interface in violation. Aging is set, max MAC's is 50 even though this interface only has 1 MAC.... Just not sure. I'm usually a Juniper person, so Cisco has me scratching my head for cases like this.

Any help is appreciated.

MHM Cisco World · ‎12-03-2020

clear port-security dynamic interface x

try this command clear all mac address learn from the previous dump SW and start connect again.

before connect you must not see any MAC in show port-security.

CGirouard · ‎12-03-2020

Did the "clear port-security dynamic interface gig 3/0/21",

Then a "show port-security interface gig 3/0/21"

Switch#show port-security interface gig 3/0/21
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 50
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : b00c.d136.fa81:131
Security Violation Count : 0

No MAC addresses, no violation count.

Do I need to do anything else before I re-enable the NIC on the client machine to test?

Specifically, what do you mean by "clear all mac address learn from the previous dump SW and start connect again"?

I thought that's what clearing out the addresses via the first command does.

And thank you for the help. I appreciate it.

MHM Cisco World · ‎12-03-2020

Now connect NIC and see if there is different.

What i mean if clear all mac.... is explain why we need clear port secuirty dymainc, we do that to clear all mac learn before from dump sw and start fresh again. The violation happened when mac exceed 50 or mac is different so we clear all and start fresh.

So freind can you connect to see result of this step?
update me last status.

MHM Cisco World · ‎12-04-2020

Any update friend ?

CGirouard · ‎12-04-2020

Clearing all the mac's from the port security did not help. Still the same behavior.

paul driver · ‎12-04-2020

Hello

if you are reluctant to upgrade the switch then how about reloading it and test connection again?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CGirouard · ‎12-07-2020

This is a production switch in a 24/7 manufacturing facility. I'll need to wait until the holiday shutdown for a reload.