Re: port-security not working as desired on 2950

jandebruyn1976 · ‎03-19-2009

I've an environment without VoIP.

This is the reason why max MAC is 1 everywhere. Aging is not required because a user disconnection means a flush of the MAC.

I want some ports to have a static secure MAC address. If another user connects to this port, the port has to stay up but the packets should be dropped.> restricted mode

user ports following configuration

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

end

special ports:

switchport nonegotiate

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc

When I connect my pc the test MAC appears in the mac static table

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0015.62a2.fcc0 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

50 aaaa.bbbb.cccc STATIC Fa0/3

When I disconnect, the last entry disappears

Very strange...

show port-security interface fas0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address : 0021.709f.59b4

Security Violation Count : 350

>> security violation count increments.

But when connected I'm still able to ping the SVI ????? My laptop violates but is still able to ping> packets are not dropped??

show logging

b4 on port FastEthernet0/3.

000047: *Mar 1 01:07:29.999 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000048: *Mar 1 01:07:35.003 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000049: *Mar 1 01:07:40.007 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000050: *Mar 1 01:07:45.015 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

How can I avoid that when another device than the configured MAC is able to ping?

Davy Ad · ‎03-19-2009

Hi Jan ,

I think your Special port don't have MAX Mac configured and no , that is one of the reason .

HTH

DAK

jandebruyn1976 · ‎03-19-2009

Hi,

Yes I did

it doesn't show up because it's default

see also the output

Maximum MAC Addresses : 1

Davy Ad · ‎03-19-2009

Could you please try to configured the Aging ,may be it could has effect on it?

I know you intentionally don't want to enable it.

Report Inappropriate Content · ‎03-19-2009

jandebruyn1976 · ‎03-19-2009

problem solved:

configuration was ok ;)

I added another switch and configured there a SVI and then the result was satifying:

ping -t from my laptop

Request time-out

If I remove the static secure MAC

reply

If I wanted to add the secure MAC again :

Error, max MAC already reached

If I disconnected my laptop I was back able to add the secure MAC.

I had to ping a hop further

Davy Ad · ‎03-19-2009

Hello ,

Please i would like to know what went wrong then.

Thanks

jandebruyn1976 · ‎03-19-2009

My setup

Laptop---------switch 10.0.0.2

10.0.0.1

ping -t 10.0.0.2

reply

Laptop----switch10.0.0.2-------switch10.0.03

ping -t 10.0.0.3

time-out

...

time-out

When I removed the secure mac from my port I received replies from 10.0.0.3

I did a continious ping

Probably packets sourced from another MAC are dropped when leaving the switch?