- Silver, 250 points or more
we are using c3750 stacks in our access layer. we have configured portsecurity feature: we only allow 2 Mac @ per port.
the configuration looks like this:
switchport access vlan 110
switchport mode access
switchport port-security maximum 2
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security aging static
no logging event link-status
spanning-tree guard root
we have noted when IP conflicts occur, portsecurity shutdowns the port causing the conflict.
i can't undertand why? what is the relation between IP conflicts and restricting 2 Mac @ by port?
if i remove commands related to portsecurity, the port will not be shutdown.
When there is an IP address conflict, the PC that generated the conflict will send out a gratuitous ARP, with the other PC's mac-address, just like ARP poisoning, but the PC is doing it to correc a problem it generated. Run wireshark on a pc and create an address conflict, you will see the GARP.
Why does it GARP? PC1 has an IP address of 22.214.171.124 and a mac-address of a.a.a.a, he is downloading, surfing the internet etc. PC2 comes online with the IP address of 126.96.36.199 and a mac-address of b.b.b.b. PC2 then sends an ARP "Who has 188.8.131.52 tell 184.108.40.206 b.b.b.b" When that happens, your routers ARP table can be poisoned, once PC1 replies with "I have 220.127.116.11" PC2 corrects any potential communication problems by sending our a GARP with PC1's IP and mac-address. Hence, port secureity gets triggered.