09-27-2012 05:48 AM - edited 03-07-2019 09:08 AM
Hi, I have a problem with the configuration of port-security. Sometimes some clients can't get IP address from DHCP server I shutdown the interface, clear the portsecurity MAC address and finally change the port of the client but he can't get IP address. After a moment the client can get the IP address this problem is very strange. The configuration of my interfaces is
interface GigabitEthernet1/0/15
switchport access vlan 2008
switchport mode access
switchport voice vlan 2108
switchport port-security maximum 10
switchport port-security
switchport port-security violation restrict
spanning-tree portfast
Thanks
09-27-2012 06:31 AM
Try turning port security off. Does the problem persist?
09-27-2012 03:20 PM
Yes, the problem is present even if I change the interface and after some time the client can connect. I am not sure if the problem is related to the port-security configuration but I can´t turn port-security off.
Thanks.
09-27-2012 04:31 PM
Hi Adrian,
Try to capture traffic with wireshark and see if client talking to DHCP or not.
thanks
09-28-2012 08:10 AM
Hi, the client is sending the DHCP Request, now I go to the computer of client and see that the mac address of this client is 0000.0000.0000 this is very strange to me. Somebody know why this mac address appear in network card.
Thanks
09-28-2012 08:14 AM
Hi,
Could it be a bad NIC card?
Sent from Cisco Technical Support iPad App
09-28-2012 08:31 AM
Hi, thanks for the help. There is a special reason why occur this problem with a netwrok card.
09-28-2012 08:50 AM
Hi Adrian,
also use he command
switchport port-security mac-address sticky
it will allow mac-address to learn dynamically, hope this may solve your problem but make sure same port not connecting for more that 10 mac-addresses or systems or else it will shut the port as per your port violation command being configured.
09-28-2012 09:12 AM
Almost seems to be the same problem I talked about in https://supportforums.cisco.com/thread/2173847?tstart=0
actually. In that case, I traced it down to the reply from the dhcp server not making it back, because dhcp request broadcast from the client isn't upgrading the mac address table.
And, apparently, after a good while, it works - something else must have updated the mac entry, or the dhcp client in desperation asked for the dhcp with the broadcast flag set :/
09-28-2012 09:57 AM
Okay -
in that case i guess learnt mac-address not getting cleared from the port, so do not configure the command "switchport port-security mac-address sticky"
instead configure the command
switchport port-security aging time 5 =====>(5 min)
switchport port-security aging type inactivity ====> (this will remove the mac-address after 5 min in case its not active)
this should show "aging type inactivity after configure above command, check with - show port-security interface gix/x"
by deafult - if you do "show port-security interface gix/x" then you will get aging type may be "absolute" which means it will automatically age out the mac-id in active case but in configured interval.
09-28-2012 03:15 PM
Thanks for the help I will apply the this configuration of port-security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide