CatOS port security problem

Unanswered Question
Oct 21st, 2009
User Badges:

C6509-E, Sup32 PFC3B CatOS 8.4(5)

I have port security configured as follows:

set port security 1/35 enable age 5 maximum 2 shutdown 0 unicast-flood enable violation restrict timer-type inactivity

Yet when a violation occurs, the port shuts down.

%SECURITY-1-PORTSHUTDOWN:Port 1/35 shutdown due to security violation 00-1d-7d-13-92-63

Is there something I am missing here, or is this possibly a bug?

Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex

----- -------- --------- ------------- -------- -------- -------- -------

1/35 enabled restrict 0 5 2 disabled 144

Port Flooding on Address Limit Last-Src-Addr Vlan TimerType

----- ------------------------- ----------------- ---- ----------

1/35 Enabled 00-1d-7d-13-92-63 11 Inactivity

Port Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left

----- -------- ----------------- ---- -------- ------------------

1/35 0 - - - no -

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jagdeep Gambhir Wed, 10/21/2009 - 07:54
User Badges:
  • Red, 2250 points or more


The reason for this problem is, if you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of

restricting the traffic from that station.

For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting

the traffic from MAC-1.



Do rate helpful posts

jedavis Wed, 10/21/2009 - 13:33
User Badges:

JG, thanks for the reply. I think you may be right. I had read that caveat before but I really didn't give it much consideration. The only port security enabled messages I ever saw on this switch were the %SECURITY-1-PORTSHUTDOWN messages. I never saw a message that a security violation was detected and that a host had been restricted, so I thought that port security was malfunctioning.

I think I discovered why though. The message relating to violations resulting in restrictions is SECURITY-5-RESTRICTADDRESS, and the default logging level for security related messages is 2. I have just changed the default to 5 because I want to receive these messages.

I think I would prefer to have the switch just remove the MAC from the original port and add it to the new port. However, I can't find any way to alter this behavior, and I don't think it can be done. Can it?


This Discussion