07-30-2007 09:58 PM - edited 03-05-2019 05:35 PM
Hi,
I've got a 2950 configured with port security on fa0/13 and fa0/14, both with sticky learning. The results of a show run for each of these interfaces is shown below:
Current configuration : 291 bytes
!
interface FastEthernet0/13
switchport access vlan 34
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22c4.45a9
spanning-tree portfast trunk
end
Switch#show run int fa0/14
Building configuration...
Current configuration : 285 bytes
!
interface FastEthernet0/14
switchport access vlan 34
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22c4.45a9
spanning-tree portfast
end
According to the documentation it should not have been possible for the switch to learn the same MAC address for two secure ports. When plugging the laptop into the second port (fa0/14) the switch should have dropped all traffic based on the source MAC address already existing on another secure port (fa0/13) and logged a violation. Neither of these things happened.
Anyone able to help with this?
Cheers,
Ben.
07-31-2007 12:28 AM
Hi Ben,
can you try one thing, replace this "spanning-tree portfast trunk " command with "spanning-tree portfast " at fa0/13 and check again.
rgds
07-31-2007 02:00 AM
can you try this commands,
switchport mode access
switchport port-security
switchport port-security aging time 5
switchport port-security aging type inactivity
07-31-2007 02:06 AM
Hi Ben,
I think , actually what the sticky command will do is " It will save mac-address of the laptop in the running config to that port in your case it is fa 0/14 , it will not restrict if the same laptop is connected to the fa 0/13 port because it will stick the mac-address to that port thats all.The sticky command will not make it as secure port ".
The sticky command doesnot make the switch to cross check with other port whether that source is already connected.
I think you will understand what i mean for you ....
Reg,
Arun
07-31-2007 02:53 AM
Hi Arun,
In my point of view, Sticky option will create an CAM table entry mapping the MAC address to the port. With this in mind, if the same secure MAC address appear in another port, it will in multiple entries in the CAM table for that address..
I think this is not a desirable situation ...
rgds
07-31-2007 03:56 PM
Hi guys,
Thanks for the input so far. The following is an extract from Cisco's doco on the 2950 config:
"Security Violations
It is a security violation when one of these situations occurs:
?The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
?An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. "
I understand that a port can't be a trunk, but I didn't think the portfast mode caused a port to be treated as a trunk. I have changed that config though, as suggested.
Also, is the secure MAC address only local to the switch, or does it get propagated around the network somehow??
Cheers,
Ben.
07-31-2007 07:34 PM
Hi Ben,
Is your original problem solved now ?
I donnt think if Secure MAC information get propagated in the network.
rgds
07-31-2007 07:45 PM
No, the same problem still exists.
Ben.
08-03-2007 04:50 AM
hi
sorry for the late reply, saw your post that problem is still there..
This is strange behaviour that same secure mac address is allowed on different ports, ok, try this :-
reconfigure the sticky configuration and clear the cam table and check again
regret that presently i am not in position simulate this kind of test setup at my end.
also you have not defined the max number of secure mac address a port can learn dynamically so by default it is one, so you also try connecting different desktops on secure ports and then interchange the desktop switch ports to check if port security is really being applied .
rgds
08-03-2007 10:28 AM
Ben,
Try this command:
switchport port-security maximum 1
Cheers.
08-05-2007 10:26 PM
Hi guys,
Thanks for the input. I have done both of those things already. Maximum 1 setting is default and doesn't appear in the visible config even if you specifically type it. Following is output from "show port-security" and running config for both interfaces being tested:
======== config =========
switch#show port-sec
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/13 1 1 0 Shutdown
Fa0/14 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
switch#show run int fa0/13
Building configuration...
Current configuration : 240 bytes
!
interface FastEthernet0/13
switchport access vlan 34
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22c4.45a9
spanning-tree portfast
end
switch#show run int fa0/14
Building configuration...
Current configuration : 240 bytes
!
interface FastEthernet0/14
switchport access vlan 34
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22c4.45a9
spanning-tree portfast
end
======= end config ==========
As you can see, even after clearing the CAM tables and reloading the switch the problem is still the same. I found a caveat saying that this can occur if you use "restrict" as the violation setting so I tried both protect and shutdown but still see the same results.
The switch is running IOS ver 12.1(20)EA1. The same test on a similar switch with a later IOS version produces the result I would expect to see (ie. port-security violation registered and second port not forwarding traffic).
Cheers,
Ben.
08-07-2007 10:39 PM
Hi all,
In case anyone comes back to this thread, or picks it up in a search - I upgraded the IOS to ver 12.1(22)EA10 (which was the latest at the time for the Cat2950) and this has resolved the issue.
Unfortunately, nothing I tried prior to the IOS upgrade resolved the issue.
Cheers,
Ben.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide