Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
4
Helpful
2
Replies

CatOS port security problem

jedavis
Level 4
Level 4

‎10-21-2009 07:36 AM - edited ‎03-06-2019 08:14 AM

C6509-E, Sup32 PFC3B CatOS 8.4(5)

I have port security configured as follows:

set port security 1/35 enable age 5 maximum 2 shutdown 0 unicast-flood enable violation restrict timer-type inactivity

Yet when a violation occurs, the port shuts down.

%SECURITY-1-PORTSHUTDOWN:Port 1/35 shutdown due to security violation 00-1d-7d-13-92-63

Is there something I am missing here, or is this possibly a bug?

Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex

----- -------- --------- ------------- -------- -------- -------- -------

1/35 enabled restrict 0 5 2 disabled 144

Port Flooding on Address Limit Last-Src-Addr Vlan TimerType

----- ------------------------- ----------------- ---- ----------

1/35 Enabled 00-1d-7d-13-92-63 11 Inactivity

Port Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left

----- -------- ----------------- ---- -------- ------------------

1/35 0 - - - no -

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎10-21-2009 07:54 AM

Hi,

The reason for this problem is, if you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of

restricting the traffic from that station.

For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting

the traffic from MAC-1.

Regards,

~JG

Do rate helpful posts

jedavis
Level 4
Level 4
In response to Jagdeep Gambhir

‎10-21-2009 01:33 PM

JG, thanks for the reply. I think you may be right. I had read that caveat before but I really didn't give it much consideration. The only port security enabled messages I ever saw on this switch were the %SECURITY-1-PORTSHUTDOWN messages. I never saw a message that a security violation was detected and that a host had been restricted, so I thought that port security was malfunctioning.

I think I discovered why though. The message relating to violations resulting in restrictions is SECURITY-5-RESTRICTADDRESS, and the default logging level for security related messages is 2. I have just changed the default to 5 because I want to receive these messages.

I think I would prefer to have the switch just remove the MAC from the original port and add it to the new port. However, I can't find any way to alter this behavior, and I don't think it can be done. Can it?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card