port-security not working as desired on 2950

Unanswered Question
Mar 19th, 2009

I've an environment without VoIP.

This is the reason why max MAC is 1 everywhere. Aging is not required because a user disconnection means a flush of the MAC.

I want some ports to have a static secure MAC address. If another user connects to this port, the port has to stay up but the packets should be dropped.> restricted mode

user ports following configuration

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

end

special ports:

switchport nonegotiate

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc

When I connect my pc the test MAC appears in the mac static table

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0015.62a2.fcc0 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

50 aaaa.bbbb.cccc STATIC Fa0/3

When I disconnect, the last entry disappears

Very strange...

show port-security interface fas0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address : 0021.709f.59b4

Security Violation Count : 350

>> security violation count increments.

But when connected I'm still able to ping the SVI ????? My laptop violates but is still able to ping> packets are not dropped??

show logging

b4 on port FastEthernet0/3.

000047: *Mar 1 01:07:29.999 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000048: *Mar 1 01:07:35.003 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000049: *Mar 1 01:07:40.007 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000050: *Mar 1 01:07:45.015 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

How can I avoid that when another device than the configured MAC is able to ping?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Davy Ad Thu, 03/19/2009 - 06:36

Hi Jan ,

I think your Special port don't have MAX Mac configured and no , that is one of the reason .

HTH

DAK

jandebruyn1976 Thu, 03/19/2009 - 06:41

Hi,

Yes I did

it doesn't show up because it's default

see also the output

Maximum MAC Addresses : 1

Davy Ad Thu, 03/19/2009 - 06:45

Could you please try to configured the Aging ,may be it could has effect on it?

I know you intentionally don't want to enable it.

Anonymous (not verified) Thu, 03/19/2009 - 08:34

jandebruyn1976 Thu, 03/19/2009 - 09:06

problem solved:

configuration was ok ;)

I added another switch and configured there a SVI and then the result was satifying:

ping -t from my laptop

Request time-out

If I remove the static secure MAC

reply

If I wanted to add the secure MAC again :

Error, max MAC already reached

If I disconnected my laptop I was back able to add the secure MAC.

I had to ping a hop further

Davy Ad Thu, 03/19/2009 - 09:33

Hello ,

Please i would like to know what went wrong then.

Thanks

jandebruyn1976 Thu, 03/19/2009 - 09:49

My setup

Laptop---------switch 10.0.0.2

10.0.0.1

ping -t 10.0.0.2

reply

Laptop----switch10.0.0.2-------switch10.0.03

ping -t 10.0.0.3

time-out

time-out

time-out

time-out

time-out

...

time-out

When I removed the secure mac from my port I received replies from 10.0.0.3

I did a continious ping

Probably packets sourced from another MAC are dropped when leaving the switch?

Actions

This Discussion