cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4440
Views
25
Helpful
18
Replies

Port security maximum keeps allocating MAC addresses to ports

AMACOMX
Level 1
Level 1

We've configured port security in a 3650 switch using switchport port-security maximum 2, just a day after the configuration people started to state there is no network 

investigating with show interfaces status showed error-disabled for some ports 

checking show mac address-table interface gigabitEthernet x/x/x on the disabled ports gave a 2 mac addresses one of them is the intended machine and the other is not, say the intened is FF:F1 and then non intended is AA:AA

checking the mac address table on the other ports with the error-disabled status also showed the intended mac for the machine say FF:F2 but also has the second mac AA:AA

*each disabled port showed the the right machine and the AA:AA mac 

for curiosity we changed config to switchport port-security maximum 3, and shutdown then no shutdown, this locked the ports again and shows the intended mac FF:F1 and the unintended AA:A1 and another unintended AA:A2

 

we added the maximum to 5 and we get a variety of nice fake/unintended mac addresses, the environment is large and its hard to check if the unintended mac is a real machine with an issue 

 

also arp -a on the computers doesn't show the fake mac address

 

the issue is with stacked pairs of catalyst 3650 switches

the environment have citrix VDI running on HP thin-clients, printers and normal computers

the port security config is 

per port:

switchport port-security
switchport port-security maximum 2

global config:

errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery cause psecure-violation
errdisable recovery cause mac-limit
errdisable recovery interval 1800

 

the version of the IOS running is:

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24PD 03.03.05SE cat3k_caa-universalk9 INSTALL

 

the question is, how do i troubleshoot this issue?

18 Replies 18

We did add all the clients as of Wednesday early morning

moe52689
Level 1
Level 1

it seems that we have found the culprit, we are still testing the issue so nothing is sure yet

here's the link for the thread:

https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/m-p/2240440#M259490

i'd recommend checking it out for anyone facing the same issue that we had

 

AMACOMX
Level 1
Level 1

well as @moe52689 stated the problem was actually a feature from sccm 

 

quote:

"The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the sleeping computer’s MAC address as the source address. This makes the network switch behave as if the sleeping computer has moved to the same port that the manager computer is on. The manager computer also sends ARP packets for the sleeping computers to keep the entry fresh in the ARP cache. The manager computer will also respond to ARP requests on behalf of the sleeping computer and reply with the MAC address of the sleeping computer.

Warning:

During this process, the IP-to-MAC mapping for the sleeping computer remains the same. Wake-up proxy works by informing the network switch that a different network adapter is using the port that was registered by another network adapter. However, this behavior is known as a MAC flap and is unusual for standard network operation. Some network monitoring tools look for this behavior and can assume that something is wrong. Consequently, these monitoring tools can generate alerts or shut down ports when you use wake-up proxy.

Do not use wake-up proxy if your network monitoring tools and services do not allow MAC flaps"

 

after disabling this feature the network went normal and this issue never emerged anymore.

 

Hello,

thanks for providing feedback on this strange issue.

From a networking point of view this feature is not well behaving

>> The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the sleeping computer’s MAC address as the source address

 

This is something that is conceptually wrong and not compatible with port security.

 

However, you had seen multiple MAC addresses on multiple ports so I wonder if multiple "manager computers" are present in your network.

 

Best Regards

Giuseppe

 

Review Cisco Networking for a $25 gift card