cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
5
Helpful
12
Replies
Beginner

port-security violation

Hello there,

 

I set up a Catalyst 2960X-48-TS-L stack of 8 members (don't know if this matters). IOS 15.2.(4)E7

I use MAC address authentication. Every access interface is configured like this:

interface GigabitEthernet1/0/1
switchport mode access
switchport port-security
authentication event no-response action authorize vlan 3000
authentication port-control auto
authentication violation restrict
mab
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 3

Every time I connect a device on a port it gets port-security volation, right away e.g.:

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.c6e1.2059:5
Security Violation Count : 41

When I disable port-security it works like charm...

Have no clue on this, any help appriciated... 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: port-security violation

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000282

2.4.13.1 Port Security

In general, Cisco does not recommend enabling port security when MAB is also enabled. Since MAB enforces a single MAC address per port (or per VLAN when multidomain authentication is configured for IP telephony), port security is largely redundant and may in some cases interfere with the expected operation of MAB.
12 REPLIES 12
VIP Advisor

Re: port-security violation

Hi there,

Although it is possible to configure port-security and MAB it is not recommend. Both provide Layer2 security via different means so you should only really use one.

Let me see if I can find the document...

 

cheers,

Seb.

VIP Advisor

Re: port-security violation

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html#wp9000282

2.4.13.1 Port Security

In general, Cisco does not recommend enabling port security when MAB is also enabled. Since MAB enforces a single MAC address per port (or per VLAN when multidomain authentication is configured for IP telephony), port security is largely redundant and may in some cases interfere with the expected operation of MAB.
Beginner

Re: port-security violation

Thanks a lot for this information :-)

Although, I have other stack of 2960X (IOS 15.0) and it works like a charm... Now I'm confused...

VIP Mentor

Re: port-security violation

Seb is definitely right i had to remove PS from all my user access switches when we rolled out ISE/NAC as it keep re-authenticating every phone every few seconds

VIP Advisor

Re: port-security violation

What is the output for the following:

 

sh run all | beg <interface_name>

sh port-security interface <interface_name>

 

cheers,

Seb.

Beginner

Re: port-security violation

sh run all | begin (with no switchport port-security)

interface GigabitEthernet1/0/1
switchport access vlan 1
switchport access vlan 1
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block unicast
no switchport block multicast
switchport port-security maximum 65535 vlan voice
no switchport port-security mac-address sticky
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
load-interval 300
carrier-delay 2
no shutdown
tx-ring-limit 0
tx-queue-limit 0
cdp tlv location
cdp tlv server-location
cdp tlv app
ipv6 mld snooping tcn flood
authentication control-direction both
authentication event no-response action authorize vlan 3000
authentication host-mode single-host
no authentication open
authentication linksec policy should-secure
authentication port-control auto
no authentication periodic
authentication timer reauthenticate 3600
authentication timer restart 60
authentication timer inactivity 0
authentication timer absolute 0
authentication timer method 0
authentication timer unauthorized 0
authentication timer inte template 0
authentication violation restrict
no authentication fallback
mab radius
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
mls qos cos 0
no onep application openflow exclusive
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
arp arpa
arp timeout 14400
spanning-tree portfast disable
spanning-tree portfast edge trunk
spanning-tree portfast edge
spanning-tree portfast network
spanning-tree bpduguard enable
spanning-tree port-priority 128
spanning-tree cost 0
channel-group auto
hold-queue 75 in
hold-queue 40 out
ip igmp snooping tcn flood
ip dhcp snooping limit rate 3
no ip dhcp snooping trust
no ip dhcp snooping information option allow-untrusted

 

Beginner

Re: port-security violation

I also noticed that in the new stack i have a part of interface configuration which says only :

 switchport port-security maximum 65535 vlan voice

other stack working with mab and port-security has:

 switchport port-security maximum 1
switchport port-security maximum 65535 vlan
switchport port-security maximum 65535 vlan access
switchport port-security maximum 65535 vlan voice 

 

VIP Advisor

Re: port-security violation

What is the show run all of a the switchport with port-security and MAB working happily together?

Beginner

Re: port-security violation

interface GigabitEthernet1/0/1
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
switchport port-security maximum 1
switchport port-security maximum 65535 vlan
switchport port-security maximum 65535 vlan access
switchport port-security maximum 65535 vlan voice
switchport port-security
switchport port-security aging time 0
switchport port-security violation shutdown
switchport port-security aging type absolute
switchport port-security limit rate invalid-source-mac 10
no switchport port-security mac-address sticky
no switchport port-security aging static
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
load-interval 300
authentication control-direction both
authentication event no-response action authorize vlan 3000
authentication host-mode single-host
no authentication open
authentication linksec policy should-secure
authentication port-control auto
no authentication periodic
authentication timer restart 60
authentication timer reauthenticate 3600
authentication timer inactivity 0
authentication violation restrict
no authentication fallback
ipv6 mld snooping tcn flood
mab radius
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
mls qos cos 0
storm-control broadcast level pps 40 10
storm-control unicast level pps 42k 200
cdp tlv location
cdp tlv server-location
cdp tlv app
arp arpa
arp timeout 14400
spanning-tree portfast disable
spanning-tree portfast trunk
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree port-priority 128
spanning-tree cost 0
hold-queue 75 in
hold-queue 0 out
ip igmp snooping tcn flood
ip dhcp snooping limit rate 3
no ip dhcp snooping trust
no ip dhcp snooping information option allow-untrusted
!
VIP Advisor

Re: port-security violation

OK, I've learnt something. Those lines:

 switchport port-security maximum 65535 vlan
 switchport port-security maximum 65535 vlan access
 switchport port-security maximum 65535 vlan voice

...override the standard config to limit per port:

 switchport port-security maximum 1

...I can't seem to find any mention in the official configuration guides which explains the behavior, other than the example you have given. I' sure if you removed the maximum xxx commands from the switchport, the MAB/ port-security combo wouldn't work so well.

 

Out of interest what platform/ software version are you using?

 

cheers,

Seb.

Beginner

Re: port-security violation

Catalyst 2960X IOS 15.2.(4)E7

P.S

In your opinion - should I or should I not use mab & PS?

Highlighted
VIP Advisor

Re: port-security violation

Don't mix them. It is not recommended and as you have found out, different platforms have quirks that produce unexpected results.

 

cheers,

Seb.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards