port security slow mac learning

gnijs · ‎07-16-2009

Hello,

We have come across something really bizar. When we enabled port security on a port, it slows down mac learning on that port to up to 3 seconds !

Switch is a C3750, v12.2(35)SE2

Port security disabled, macs cleared:

--> HTTP SYN in (flooded because mac unknown)

<-- HTTP SYN-ACK out : 10 msec delay

Port security enabled, macs cleared (!):

--> HTTP SYN in (flooded, because mac unknown)

<-- HTTP SYN-ACK out: 3 seconds delay !

It is especially visible on 'silent' devices where the mac address times out after the port security timeout (in our config 2 mins):

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

I have searched the bug toolkit but found nothing.

gnijs · ‎07-18-2009

Maybe mac learning can be slower with port-security turned on (ie for programming asic or whatever), however, the packet itself should not be delayed. This issue is giving us problems with SAP transactions timing out and being very slow. Will open TAC case for it. (i could increase the timeout value but that is giving us other problems, like when you move a pc , you have to wait time before connecting anyting else). Static programming of mac is the only "workaround".

gnijs · ‎08-12-2009

It appears that the switch is not "slow" in learning, it just drops the first packet when port security is enabled (nice cisco) and the 3 seconds is a retransmit timer on the end-device (if you're using tcp, if you are using udp,video,voice,mmm, bad luck, packet gone!). See CSCeg63177