Problem with port-security and DHCP

Adrian Caba Gutierrez · ‎09-27-2012

Hi, I have a problem with the configuration of port-security. Sometimes some clients can't get IP address from DHCP server I shutdown the interface, clear the portsecurity MAC address and finally change the port of the client but he can't get IP address. After a moment the client can get the IP address this problem is very strange. The configuration of my interfaces is

interface GigabitEthernet1/0/15

switchport access vlan 2008

switchport mode access

switchport voice vlan 2108

switchport port-security maximum 10

switchport port-security

switchport port-security violation restrict

spanning-tree portfast

Thanks

pompeychimes · ‎09-27-2012

Try turning port security off. Does the problem persist?

Adrian Caba Gutierrez · ‎09-27-2012

Yes, the problem is present even if I change the interface and after some time the client can connect. I am not sure if the problem is related to the port-security configuration but I can´t turn port-security off.

Thanks.

singhaam007 · ‎09-27-2012

Hi Adrian,

Try to capture traffic with wireshark and see if client talking to DHCP or not.

thanks

Adrian Caba Gutierrez · ‎09-28-2012

Hi, the client is sending the DHCP Request, now I go to the computer of client and see that the mac address of this client is 0000.0000.0000 this is very strange to me. Somebody know why this mac address appear in network card.

Thanks

johnlloyd_13 · ‎09-28-2012

Hi,

Could it be a bad NIC card?

Sent from Cisco Technical Support iPad App

Adrian Caba Gutierrez · ‎09-28-2012

Hi, thanks for the help. There is a special reason why occur this problem with a netwrok card.

bharat.rajwanshi · ‎09-28-2012

Hi Adrian,

also use he command

switchport port-security mac-address sticky

it will allow mac-address to learn dynamically, hope this may solve your problem but make sure same port not connecting for more that 10 mac-addresses or systems or else it will shut the port as per your port violation command being configured.

iptrix · ‎09-28-2012

Almost seems to be the same problem I talked about in https://supportforums.cisco.com/thread/2173847?tstart=0
actually. In that case, I traced it down to the reply from the dhcp server not making it back, because dhcp request broadcast from the client isn't upgrading the mac address table.

And, apparently, after a good while, it works - something else must have updated the mac entry, or the dhcp client in desperation asked for the dhcp with the broadcast flag set :/

bharat.rajwanshi · ‎09-28-2012

Okay -

in that case i guess learnt mac-address not getting cleared from the port, so do not configure the command "switchport port-security mac-address sticky"

instead configure the command

switchport port-security aging time 5 =====>(5 min)

switchport port-security aging type inactivity ====> (this will remove the mac-address after 5 min in case its not active)

this should show "aging type inactivity after configure above command, check with - show port-security interface gix/x"

by deafult - if you do "show port-security interface gix/x" then you will get aging type may be "absolute" which means it will automatically age out the mac-id in active case but in configured interval.

Adrian Caba Gutierrez · ‎09-28-2012

Thanks for the help I will apply the this configuration of port-security.