05-16-2022 02:33 AM - edited 05-17-2022 01:17 AM
Hello,
I’ve faced with a port security problem on small business cisco switches (SG350X, CBS350). In my configuration port security limits maximum number of dynamic addresses on a port. Sometimes switch stops learning new addresses without reaching the limit. After sequential disabling and re-enabling port security on a affected port the problem disappears for indefinite time (from hours to days). Details are below:
CBS350-16T-E-2G 16-Port Gigabit Managed Switch, Version: 3.0.0.69
sw30#sh ip dhcp snooping binding mac-address f8:32:e4:be:64:ad Total number of binding: 49 MAC Address IP Address Lease (sec) Type VLAN Interface ------------------ --------------- ------------ ---------- ---- ---------- f8:32:e4:be:64:ad 10.11.7.165 531 learned 10 gi5
sw30#sh mac address-table address f8:32:e4:be:64:ad Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ----------
sw30#sh mac address-table int gi5 Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ---------- 10 04:42:1a:04:76:87 gi5 dynamic 10 7c:2f:80:46:33:ac gi5 dynamic 10 7c:2f:80:5f:ed:70 gi5 dynamic 10 7c:2f:80:c7:09:de gi5 dynamic 10 7c:2f:80:f7:cb:9b gi5 dynamic 10 b0:0c:d1:e2:36:ce gi5 dynamic
sw30#sh system tcam utilization System: 12% Unit TCAM utilization[%] ------------------- ------------------- 1 12
sw30#sh mac address-table count Capacity : 16384 Free : 15941 Used unicast : 442 Used multicast : 1 Used IPv4 hosts : 0 Used IPv6 hosts : 0 (each IPv6 host consumes 2 entries in MAC address table) Secure : 0 Dynamic unicast : 440 Static unicast : 0 Internal : 2
sw30#sh run int gi5 interface GigabitEthernet5 storm-control broadcast level 10 storm-control multicast level 10 port security max 100 port security mode max-addresses port security discard switchport access vlan 10
sw30#conf t sw30(config)#int gi5 sw30(config-if)#no port security sw30(config-if)#port security discard
sw30#sh mac address-table address f8:32:e4:be:64:ad Flags: I - Internal usage VLAN Aging time is 300 sec Vlan Mac Address Port Type ------------ --------------------- ---------- ---------- 10 f8:32:e4:be:64:ad gi5 dynamic
05-16-2022 03:27 AM
Almost 100% chance this to be a Bug. Upgrade the switch to 3.1.1.7
05-17-2022 12:45 AM
I’ve upgraded to 3.1.1.7.
It may be a bug, but the problem appears not only on CBS350, but on SG350X (latest 2.5.8.15) and SF350 (2.5.0.83) too. My configuration is pretty common (as I think), but I can’t find mentions of this “bug” on the web. Maybe I do something wrong.
05-16-2022 07:00 AM
OK,
you config port-security and IP dhcp snooping in trunk ?? that why there are many mac address appear ?
can you confirm where you config the port-secirty and IP dhcp snooping ?
05-17-2022 12:46 AM - edited 05-17-2022 12:49 AM
I use port-security for limiting maximum dynamic addresses on access ports and on trunks too. Ip dhcp snooping configured on certain vlans (config below). The problem is dhcp snoopping “see” requests from client, but client address absent in FDB. At the same time command “sh mac address-table” on client port show that addresses count is far below the port-security limit.
sw30#sh ip dhcp snooping DHCP snooping is Enabled DHCP snooping is configured on following VLANs: 1,9-10 DHCP snooping database is Disabled Relay agent Information option 82 is Disabled Option 82 on untrusted port is forbidden Verification of hwaddr field is Enabled Interface Trusted ----------- ------------ gi16 Yes
05-17-2022 03:29 AM - edited 05-17-2022 03:30 AM
<del>
05-17-2022 03:33 AM - edited 05-17-2022 03:40 AM
Some additional comment.
I have a guess that the problem might be connected with wifi random hardware addresses. IIRC, it appeared only on ports with wifi AP behind them (not necessarily connected directly – it may be other switches between problematic switch and AP). Indeed, if 350-series switches have a bug in dynamic addresses aging code, clients with wifi random hardware addresses may amplify effect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide