Solved: Re: port-security violation

curaasan · ‎02-07-2019

Hello there,

I set up a Catalyst 2960X-48-TS-L stack of 8 members (don't know if this matters). IOS 15.2.(4)E7

I use MAC address authentication. Every access interface is configured like this:

interface GigabitEthernet1/0/1
 switchport mode access
 switchport port-security
 authentication event no-response action authorize vlan 3000
 authentication port-control auto
 authentication violation restrict
 mab
 storm-control broadcast level pps 40 10
 storm-control unicast level pps 42k 200
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 3

Every time I connect a device on a port it gets port-security volation, right away e.g.:

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.c6e1.2059:5
Security Violation Count : 41

When I disable port-security it works like charm...

Have no clue on this, any help appriciated...

Seb Rupik · ‎02-07-2019

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000282

2.4.13.1 Port Security

In general, Cisco does not recommend enabling port security when MAB is also enabled. Since MAB enforces a single MAC address per port (or per VLAN when multidomain authentication is configured for IP telephony), port security is largely redundant and may in some cases interfere with the expected operation of MAB.

View solution in original post

Seb Rupik · ‎02-07-2019

Hi there,

Although it is possible to configure port-security and MAB it is not recommend. Both provide Layer2 security via different means so you should only really use one.

Let me see if I can find the document...

cheers,

Seb.

Seb Rupik · ‎02-07-2019

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000282

2.4.13.1 Port Security

In general, Cisco does not recommend enabling port security when MAB is also enabled. Since MAB enforces a single MAC address per port (or per VLAN when multidomain authentication is configured for IP telephony), port security is largely redundant and may in some cases interfere with the expected operation of MAB.

curaasan · ‎02-07-2019

Thanks a lot for this information :-)

Although, I have other stack of 2960X (IOS 15.0) and it works like a charm... Now I'm confused...

Mark Malone · ‎02-07-2019

Seb is definitely right i had to remove PS from all my user access switches when we rolled out ISE/NAC as it keep re-authenticating every phone every few seconds

Seb Rupik · ‎02-07-2019

What is the output for the following:

sh run all | beg <interface_name>

sh port-security interface <interface_name>

cheers,

Seb.

curaasan · ‎02-07-2019

sh run all | begin (with no switchport port-security)

interface GigabitEthernet1/0/1
 switchport access vlan 1
 switchport access vlan 1
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block unicast
 no switchport block multicast
 switchport port-security maximum 65535 vlan voice
 no switchport port-security mac-address sticky
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 carrier-delay 2
 no shutdown
 tx-ring-limit 0
 tx-queue-limit 0
 cdp tlv location
 cdp tlv server-location 
 cdp tlv app
 ipv6 mld snooping tcn flood
 authentication control-direction both
 authentication event no-response action authorize vlan 3000
 authentication host-mode single-host
 no authentication open
 authentication linksec policy should-secure
 authentication port-control auto
 no authentication periodic
 authentication timer reauthenticate 3600
 authentication timer restart 60
 authentication timer inactivity 0
 authentication timer absolute 0
 authentication timer method 0
 authentication timer unauthorized 0
 authentication timer inte template 0
 authentication violation restrict
 no authentication fallback
 mab radius
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 mls qos cos 0
 no onep application openflow exclusive
 storm-control broadcast level pps 40 10
 storm-control unicast level pps 42k 200
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast edge trunk
 spanning-tree portfast edge
 spanning-tree portfast network
 spanning-tree bpduguard enable
 spanning-tree port-priority 128
 spanning-tree cost 0
 channel-group auto
 hold-queue 75 in
 hold-queue 40 out
 ip igmp snooping tcn flood
 ip dhcp snooping limit rate 3
 no ip dhcp snooping trust
 no ip dhcp snooping information option allow-untrusted

curaasan · ‎02-07-2019

I also noticed that in the new stack i have a part of interface configuration which says only :

 switchport port-security maximum 65535 vlan voice

other stack working with mab and port-security has:

 switchport port-security maximum 1
 switchport port-security maximum 65535 vlan
 switchport port-security maximum 65535 vlan access
 switchport port-security maximum 65535 vlan voice

Seb Rupik · ‎02-07-2019

What is the show run all of a the switchport with port-security and MAB working happily together?

curaasan · ‎02-07-2019

interface GigabitEthernet1/0/1
 switchport
 switchport access vlan 1
 switchport private-vlan trunk encapsulation dot1q
 switchport private-vlan trunk native vlan tag
 switchport mode access
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 switchport port-security maximum 1
 switchport port-security maximum 65535 vlan
 switchport port-security maximum 65535 vlan access
 switchport port-security maximum 65535 vlan voice
 switchport port-security
 switchport port-security aging time 0
 switchport port-security violation shutdown
 switchport port-security aging type absolute
 switchport port-security limit rate invalid-source-mac 10
 no switchport port-security mac-address sticky
 no switchport port-security aging static
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 load-interval 300
 authentication control-direction both
 authentication event no-response action authorize vlan 3000
 authentication host-mode single-host
 no authentication open
 authentication linksec policy should-secure
 authentication port-control auto
 no authentication periodic
 authentication timer restart 60
 authentication timer reauthenticate 3600
 authentication timer inactivity 0
 authentication violation restrict
 no authentication fallback
 ipv6 mld snooping tcn flood
 mab radius
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 mls qos cos 0
 storm-control broadcast level pps 40 10
 storm-control unicast level pps 42k 200
 cdp tlv location
 cdp tlv server-location 
 cdp tlv app
 arp arpa
 arp timeout 14400
 spanning-tree portfast disable
 spanning-tree portfast trunk
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree port-priority 128
 spanning-tree cost 0
 hold-queue 75 in
 hold-queue 0 out
 ip igmp snooping tcn flood
 ip dhcp snooping limit rate 3
 no ip dhcp snooping trust
 no ip dhcp snooping information option allow-untrusted
!

Seb Rupik · ‎02-07-2019

OK, I've learnt something. Those lines:

 switchport port-security maximum 65535 vlan
 switchport port-security maximum 65535 vlan access
 switchport port-security maximum 65535 vlan voice

...override the standard config to limit per port:

 switchport port-security maximum 1

...I can't seem to find any mention in the official configuration guides which explains the behavior, other than the example you have given. I' sure if you removed the maximum xxx commands from the switchport, the MAB/ port-security combo wouldn't work so well.

Out of interest what platform/ software version are you using?

cheers,

Seb.

curaasan · ‎02-07-2019

Catalyst 2960X IOS 15.2.(4)E7

P.S

In your opinion - should I or should I not use mab & PS?

Seb Rupik · ‎02-07-2019

Don't mix them. It is not recommended and as you have found out, different platforms have quirks that produce unexpected results.

cheers,

Seb.