Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1907
Views
25
Helpful
6
Replies

Why isn't port-security inactivity timer dropping mac addresses for disconnected devices?

Go to solution
morningfalcon
Level 1
Level 1

‎07-16-2021 06:21 AM

While implementing port-security on ports with an IP phone and computer, I've noticed that the inactivity timers do not seem to be updating. Because of this I'm unable to disconnect a computer from a phone and move it to another port without either disconnecting the phone completely or logging into the switch and manually clearing the mac address. Here's an example of the configuration on one such port:

interface GigabitEthernet1/0/1
 description Voice With Passthru (11)
 switchport access vlan 11
 switchport mode access
 switchport voice vlan 10
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security aging time 5
 switchport port-security aging type inactivity
 switchport port-security
 no cdp enable
 spanning-tree portfast edge
 spanning-tree bpduguard enable

As an example, if I connect a phone and computer to the port and then run "show port-security address" I get the following:

               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
  10    0000.1111.2222    SecureDynamic                 Gi1/0/1      5 (I)
  11    aaaa.bbbb.cccc    SecureDynamic                 Gi1/0/1      5 (I)

This is expected. However, if I now disconnect the computer with mac address aaaa.bbbb.cccc and check back in ten minutes it still says the exact same thing, and if I try to plug the computer into another port on vlan 11 I start getting port-security violations:

 

000055: Jul 15 2021 17:53:29.623 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet1/0/31.

 

I was thinking that the IP phone might be interfering with how port-security works, so I decided to test everything again with an unmanaged switch instead. For this test I connected a small 5-port switch to another port with port-security timers set identical to the configuration outlined above. Next I connected two computers to the small switch and then disconnected them after they showed a connection. After five minutes I had similar results, the only difference being I ended up with two mac addresses on vlan 11:

               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
  11    aaaa.bbbb.cccc    SecureDynamic                 Gi1/0/31     5 (I)
  11    dddd.eeee.ffff    SecureDynamic                 Gi1/0/31     5 (I)

 

From what I've been able to find online this is not the typical experience. Here are just a few of the pages I've checked:

Solved: port-security aging time - what is it good for? - Cisco Community  
Port-security aging time - Cisco Community  
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX - Configuring Port-Based Traffic Control [Cisco Catalyst 2960-X Series Switches] - Cisco 

I'm running this on a Catalyst c2960x switch running IOS XE 15. Does anyone have any idea why the mac addresses aren't timing out even though their corresponding devices have been removed from the network?


Thanks,
~Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-16-2021 06:54 AM

Hello @morningfalcon ,

I think this is a SW bug I agree that the switch should be able to age out disconneted devices after 5 minutes

 

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-16-2021 06:54 AM

Hello @morningfalcon ,

I think this is a SW bug I agree that the switch should be able to age out disconneted devices after 5 minutes

 

Hope to help

Giuseppe

 

Go to solution
morningfalcon
Level 1
Level 1
In response to Giuseppe Larosa

‎07-20-2021 08:30 AM

Thanks for the feedback, Giuseppe. After reading this I was glad to find there was a software update available from Cisco. After moving from 15.2(7)E2 to 15.2(7)E4 the problem went away and mac addresses are timing out of the port-security address table as expected.

 

Take care,

~Nick

Go to solution
MHM Cisco World
VIP
VIP

‎07-17-2021 03:56 AM

can I see output of 
show port-security interface x

Go to solution
morningfalcon
Level 1
Level 1
In response to MHM Cisco World

‎07-20-2021 06:28 AM

Here's the output for the port with the unmanaged switch while the two computers are connected:

c2060x#sh port-security interface g1/0/31
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 5 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Enabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : dddd.eeee.ffff:11
Security Violation Count   : 0

The output is the same five minutes after both devices have been disconnected. Have you seen similar behavior?

 

~Nick

 

Go to solution
MHM Cisco World
VIP
VIP
In response to morningfalcon

‎07-20-2021 07:51 AM - edited ‎07-20-2021 07:52 AM

I read some where, that aging time not count when the port is down, so test connect any laptop or printer and not make any activity and you will see it will remove after 5 min.,

Or use new port connect one pc then remove it and connect other pc you will see that old pc will aging and remove.

Check and reply later.

 

0 Helpful

Go to solution
morningfalcon
Level 1
Level 1
In response to MHM Cisco World

‎07-20-2021 08:27 AM

This was resolved with a software update ( 15.2(7)E2 --> 15.2(7)E4 ).

 

That said, when a port is down it removes all of the port security mac address info, unless the port is configured for sticky mac addresses. Normally, then, it wouldn't be a problem to move a device from one port to another because the port would go down and the mac info would be cleared, which would allow connection to another port without fear of triggering port-security errors. However, with an IP phone or unmanaged switch keeping the port up the mac info would stay on the port and port-security errors would trigger if a device was moved to another port on the switch.

 

Thank you again for thinking this over with me. I feel like it's been an issue for us for a while and was surprised that the software update actually fixed the issue.

 

~Nick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card