02-07-2019 12:37 AM - edited 03-08-2019 05:16 PM
Hello there,
I set up a Catalyst 2960X-48-TS-L stack of 8 members (don't know if this matters). IOS 15.2.(4)E7
I use MAC address authentication. Every access interface is configured like this:
interface GigabitEthernet1/0/1
switchport mode access
switchport port-security
authentication event no-response action authorize vlan 3000
authentication port-control auto
authentication violation restrict
mab
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 3
Every time I connect a device on a port it gets port-security volation, right away e.g.:
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.c6e1.2059:5
Security Violation Count : 41
When I disable port-security it works like charm...
Have no clue on this, any help appriciated...
Solved! Go to Solution.
02-07-2019 12:47 AM
02-07-2019 12:43 AM
Hi there,
Although it is possible to configure port-security and MAB it is not recommend. Both provide Layer2 security via different means so you should only really use one.
Let me see if I can find the document...
cheers,
Seb.
02-07-2019 12:47 AM
02-07-2019 12:55 AM
Thanks a lot for this information :-)
Although, I have other stack of 2960X (IOS 15.0) and it works like a charm... Now I'm confused...
02-07-2019 01:33 AM
Seb is definitely right i had to remove PS from all my user access switches when we rolled out ISE/NAC as it keep re-authenticating every phone every few seconds
02-07-2019 01:53 AM
What is the output for the following:
sh run all | beg <interface_name>
sh port-security interface <interface_name>
cheers,
Seb.
02-07-2019 03:43 AM
sh run all | begin (with no switchport port-security)
interface GigabitEthernet1/0/1
switchport access vlan 1
switchport access vlan 1
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block unicast
no switchport block multicast
switchport port-security maximum 65535 vlan voice
no switchport port-security mac-address sticky
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
load-interval 300
carrier-delay 2
no shutdown
tx-ring-limit 0
tx-queue-limit 0
cdp tlv location
cdp tlv server-location
cdp tlv app
ipv6 mld snooping tcn flood
authentication control-direction both
authentication event no-response action authorize vlan 3000
authentication host-mode single-host
no authentication open
authentication linksec policy should-secure
authentication port-control auto
no authentication periodic
authentication timer reauthenticate 3600
authentication timer restart 60
authentication timer inactivity 0
authentication timer absolute 0
authentication timer method 0
authentication timer unauthorized 0
authentication timer inte template 0
authentication violation restrict
no authentication fallback
mab radius
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
mls qos cos 0
no onep application openflow exclusive
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
arp arpa
arp timeout 14400
spanning-tree portfast disable
spanning-tree portfast edge trunk
spanning-tree portfast edge
spanning-tree portfast network
spanning-tree bpduguard enable
spanning-tree port-priority 128
spanning-tree cost 0
channel-group auto
hold-queue 75 in
hold-queue 40 out
ip igmp snooping tcn flood
ip dhcp snooping limit rate 3
no ip dhcp snooping trust
no ip dhcp snooping information option allow-untrusted
02-07-2019 03:57 AM
I also noticed that in the new stack i have a part of interface configuration which says only :
switchport port-security maximum 65535 vlan voice
other stack working with mab and port-security has:
switchport port-security maximum 1
switchport port-security maximum 65535 vlan
switchport port-security maximum 65535 vlan access
switchport port-security maximum 65535 vlan voice
02-07-2019 04:02 AM
What is the show run all of a the switchport with port-security and MAB working happily together?
02-07-2019 04:05 AM
interface GigabitEthernet1/0/1
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
switchport port-security maximum 65535 vlan
switchport port-security maximum 65535 vlan access
switchport port-security maximum 65535 vlan voice
switchport port-security
switchport port-security aging time 0
switchport port-security violation shutdown
switchport port-security aging type absolute
switchport port-security limit rate invalid-source-mac 10
no switchport port-security mac-address sticky
no switchport port-security aging static
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
load-interval 300
authentication control-direction both
authentication event no-response action authorize vlan 3000
authentication host-mode single-host
no authentication open
authentication linksec policy should-secure
authentication port-control auto
no authentication periodic
authentication timer restart 60
authentication timer reauthenticate 3600
authentication timer inactivity 0
authentication violation restrict
no authentication fallback
ipv6 mld snooping tcn flood
mab radius
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
mls qos cos 0
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
cdp tlv location
cdp tlv server-location
cdp tlv app
arp arpa
arp timeout 14400
spanning-tree portfast disable
spanning-tree portfast trunk
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree port-priority 128
spanning-tree cost 0
hold-queue 75 in
hold-queue 0 out
ip igmp snooping tcn flood
ip dhcp snooping limit rate 3
no ip dhcp snooping trust
no ip dhcp snooping information option allow-untrusted
!
02-07-2019 04:22 AM
OK, I've learnt something. Those lines:
switchport port-security maximum 65535 vlan switchport port-security maximum 65535 vlan access switchport port-security maximum 65535 vlan voice
...override the standard config to limit per port:
switchport port-security maximum 1
...I can't seem to find any mention in the official configuration guides which explains the behavior, other than the example you have given. I' sure if you removed the maximum xxx commands from the switchport, the MAB/ port-security combo wouldn't work so well.
Out of interest what platform/ software version are you using?
cheers,
Seb.
02-07-2019 04:24 AM
Catalyst 2960X IOS 15.2.(4)E7
P.S
In your opinion - should I or should I not use mab & PS?
02-07-2019 04:28 AM
Don't mix them. It is not recommended and as you have found out, different platforms have quirks that produce unexpected results.
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide