port-security not working as desired on 2950

Unanswered Question
Mar 19th, 2009
User Badges:

I've an environment without VoIP.

This is the reason why max MAC is 1 everywhere. Aging is not required because a user disconnection means a flush of the MAC.

I want some ports to have a static secure MAC address. If another user connects to this port, the port has to stay up but the packets should be dropped.> restricted mode



user ports following configuration

switchport mode access

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

end


special ports:

switchport nonegotiate

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc


When I connect my pc the test MAC appears in the mac static table


Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0015.62a2.fcc0 STATIC CPU

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0100.0cdd.dddd STATIC CPU

50 aaaa.bbbb.cccc STATIC Fa0/3


When I disconnect, the last entry disappears


Very strange...


show port-security interface fas0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 1

Sticky MAC Addresses : 0

Last Source Address : 0021.709f.59b4

Security Violation Count : 350



>> security violation count increments.


But when connected I'm still able to ping the SVI ????? My laptop violates but is still able to ping> packets are not dropped??


show logging


b4 on port FastEthernet0/3.

000047: *Mar 1 01:07:29.999 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000048: *Mar 1 01:07:35.003 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000049: *Mar 1 01:07:40.007 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.

000050: *Mar 1 01:07:45.015 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.



How can I avoid that when another device than the configured MAC is able to ping?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Davy Ad Thu, 03/19/2009 - 06:36
User Badges:

Hi Jan ,

I think your Special port don't have MAX Mac configured and no , that is one of the reason .



HTH

DAK

jandebruyn1976 Thu, 03/19/2009 - 06:41
User Badges:

Hi,


Yes I did


it doesn't show up because it's default


see also the output


Maximum MAC Addresses : 1

Davy Ad Thu, 03/19/2009 - 06:45
User Badges:

Could you please try to configured the Aging ,may be it could has effect on it?

I know you intentionally don't want to enable it.

Anonymous (not verified) Thu, 03/19/2009 - 08:34
User Badges:


jandebruyn1976 Thu, 03/19/2009 - 09:06
User Badges:

problem solved:


configuration was ok ;)


I added another switch and configured there a SVI and then the result was satifying:


ping -t from my laptop


Request time-out


If I remove the static secure MAC


reply


If I wanted to add the secure MAC again :


Error, max MAC already reached


If I disconnected my laptop I was back able to add the secure MAC.


I had to ping a hop further


Davy Ad Thu, 03/19/2009 - 09:33
User Badges:

Hello ,

Please i would like to know what went wrong then.

Thanks

jandebruyn1976 Thu, 03/19/2009 - 09:49
User Badges:

My setup


Laptop---------switch 10.0.0.2

10.0.0.1

ping -t 10.0.0.2

reply


Laptop----switch10.0.0.2-------switch10.0.03

ping -t 10.0.0.3

time-out

time-out

time-out

time-out

time-out

...

time-out

When I removed the secure mac from my port I received replies from 10.0.0.3


I did a continious ping


Probably packets sourced from another MAC are dropped when leaving the switch?

Actions

This Discussion