Switchport suddenly stops accepting traffic

pauljackson059 · ‎03-31-2016

Hi all, We have faced an issue with our Cisco Catalyst 3750 v2 switch. One of the switchport suddenly stopped accepting incoming traffic causing loss of network connectivity for downstream access switches. Following is the output we captured during the issue.

Switch01#sh int Fa1/0/10
FastEthernet1/0/10 is up, line protocol is up (connected)
MTU 1998 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 12000 bits/sec, 20 packets/sec

We then shut/unshut the port and the port began accepting incoming traffic again.

Switch01#sh int Fa1/0/10
FastEthernet1/0/10 is up, line protocol is up (connected)
MTU 1998 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 17/255
Encapsulation ARPA, loopback not set
30 second input rate 6746000 bits/sec, 989 packets/sec
30 second output rate 452000 bits/sec, 462 packets/sec

What could be the reason that this happened? In the logs, we don't see any spanning-tree or port-security logs that could have caused this. Following is the running-config of the interface.

interface FastEthernet1/0/10
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport mode trunk
switchport voice vlan 20
switchport port-security maximum 3
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
load-interval 30
no snmp trap link-status
end

Any help would be appreciated. Thanks!

Iulian Vaideanu · ‎03-31-2016

I don't think a switch can "refuse" to accept traffic - it can discard it, but if the interface is up and the other end is sending, the input counters should increment. What is the other switch show / log when the issue happens?

pauljackson059 · ‎03-31-2016

Hi Iulian,

I checked the other switch and there is no logs when the issue happened.

Yes, I don't think that this switch refused to accept traffic. Although it looked like it went into some sort of a 'hung' state and was unable to process further traffic on the interface.

Any idea why this could have happened?

Thanks.

Paul.

acampbell · ‎03-31-2016

Hi Paul,

This configuration looks to bet connecting to an IP phone
switchport voice vlan 20

May be the phone has an issue with its internal switch if one is fitted.

The interface was sending not receiving when you caught the stats
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 12000 bits/sec, 20 packets/sec

Regards
Alex

Regards, Alex. Please rate useful posts.

pwwiddicombe · ‎03-31-2016

It looks like there are some unintentional carry-overs from an earlier configuration that you might want to remove. Some of these apply only to access ports and have no impact on a trunk port; on the other hand you don't really WANT these here anyway. I'd be curious about the impact of port-security on a trunk...

switchport port-security (all of them)

switchport access vlan 10

switchport voice vlan 20

no logging event link-status

acampbell · ‎03-31-2016

Hi,

Port security is allowed on trunk ports but you really need to read the config guide for the info.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swtrafc.html#wp1038501

Also noticed that 6500s only allow on trunk ports when set to nonegotiate.

Regards

Alex

Regards, Alex. Please rate useful posts.

Carlos Villagran · ‎03-31-2016

Hi Paul!

Firstly, the command no logging event link-status will not let you notice any status change in your interace. The issue you are experiencing occurs because violation restrict in your port-security configuration is being triggered since more than 3 mac-addresses are sending traffic to this port.

You do not see the interface as down since it is only dropping the packets and of course this behavior is overridden when resetting the port (shut/no shut).

You can verify this by using the show port-security interface [type of interface] x/x and look for the violation count line.

You can extend the maximum permitted mac-addresses in the trunk or completely remove the port-security configuration since this is an uplink of other access switches.

Hope it helps, best regards!

JC

pauljackson059 · ‎04-01-2016

Hi Carlos,

I checked the command that you suggested. Following is the output.

Switch01#show port-security interface fastEthernet 1/0/10
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0

I find it odd to see Port Security : Disabled and Port Status : Secure-down. The port is up right now.

Thanks.

Paul.