Showing results for 
Search instead for 
Did you mean: 

Port security problem on small business switches (SG350X, CBS350)

Level 1
Level 1

I’ve faced with a port security problem on small business cisco switches (SG350X, CBS350). In my configuration port security limits maximum number of dynamic addresses on a port. Sometimes switch stops learning new addresses without reaching the limit. After sequential disabling and re-enabling port security on a affected port the problem disappears for indefinite time (from hours to days). Details are below:

CBS350-16T-E-2G 16-Port Gigabit Managed Switch, Version:


sw30#sh ip dhcp snooping binding mac-address f8:32:e4:be:64:ad
Total number of binding: 49

   MAC Address       IP Address    Lease (sec)     Type    VLAN Interface
------------------ --------------- ------------ ---------- ---- ----------
f8:32:e4:be:64:ad     531          learned    10   gi5

sw30#sh mac address-table address f8:32:e4:be:64:ad
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type
------------ --------------------- ---------- ----------

sw30#sh mac address-table int gi5 
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type
------------ --------------------- ---------- ----------
     10        04:42:1a:04:76:87      gi5      dynamic
     10        7c:2f:80:46:33:ac      gi5      dynamic
     10        7c:2f:80:5f:ed:70      gi5      dynamic
     10        7c:2f:80:c7:09:de      gi5      dynamic
     10        7c:2f:80:f7:cb:9b      gi5      dynamic
     10        b0:0c:d1:e2:36:ce      gi5      dynamic

sw30#sh system tcam utilization   
System: 12%

       Unit         TCAM utilization[%]
------------------- -------------------
         1                  12

sw30#sh mac address-table count 
Capacity        : 16384 
Free            : 15941 
Used unicast    : 442 
Used multicast  : 1 
Used IPv4 hosts : 0 
Used IPv6 hosts : 0 (each IPv6 host consumes 2 entries in MAC address table)
Secure          : 0 
Dynamic unicast : 440 
Static unicast  : 0 
Internal        : 2 

sw30#sh run int gi5
interface GigabitEthernet5
 storm-control broadcast level 10 
 storm-control multicast level 10 
 port security max 100
 port security mode max-addresses 
 port security discard
 switchport access vlan 10

sw30#conf t
sw30(config)#int gi5
sw30(config-if)#no port security  
sw30(config-if)#port security discard 

sw30#sh mac address-table address f8:32:e4:be:64:ad
Flags: I - Internal usage VLAN
Aging time is 300 sec

    Vlan          Mac Address         Port       Type    
------------ --------------------- ---------- ---------- 
     10        f8:32:e4:be:64:ad      gi5      dynamic   

6 Replies 6

Almost 100% chance this to be a Bug. Upgrade the switch to 

I’ve upgraded to
It may be a bug, but the problem appears not only on CBS350, but on SG350X (latest and SF350 ( too. My configuration is pretty common (as I think), but I can’t find mentions of this “bug” on the web. Maybe I do something wrong.


you config port-security and IP dhcp snooping in trunk ?? that why there are many mac address appear ?
can you confirm where you config the port-secirty and IP dhcp snooping ?

I use port-security for limiting maximum dynamic addresses on access ports and on trunks too. Ip dhcp snooping configured on certain vlans (config below). The problem is dhcp snoopping “see” requests from client, but client address absent in FDB. At the same time command “sh mac address-table” on client port show that addresses count is far below the port-security limit.

sw30#sh ip dhcp snooping 
DHCP snooping is Enabled
DHCP snooping is configured on following VLANs: 1,9-10
DHCP snooping database is Disabled
Relay agent Information option 82 is Disabled
Option 82 on untrusted port is forbidden
Verification of hwaddr field is Enabled

 Interface    Trusted    
----------- ------------ 
gi16        Yes           



Level 1
Level 1

Some additional comment.
I have a guess that the problem might be connected with wifi random hardware addresses. IIRC, it appeared only on ports with wifi AP behind them (not necessarily connected directly – it may be other switches between problematic switch and AP). Indeed, if 350-series switches have a bug in dynamic addresses aging code, clients with wifi random hardware addresses may amplify effect.


Review Cisco Networking for a $25 gift card