10-21-2009 07:36 AM - edited 03-06-2019 08:14 AM
C6509-E, Sup32 PFC3B CatOS 8.4(5)
I have port security configured as follows:
set port security 1/35 enable age 5 maximum 2 shutdown 0 unicast-flood enable violation restrict timer-type inactivity
Yet when a violation occurs, the port shuts down.
%SECURITY-1-PORTSHUTDOWN:Port 1/35 shutdown due to security violation 00-1d-7d-13-92-63
Is there something I am missing here, or is this possibly a bug?
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
1/35 enabled restrict 0 5 2 disabled 144
Port Flooding on Address Limit Last-Src-Addr Vlan TimerType
----- ------------------------- ----------------- ---- ----------
1/35 Enabled 00-1d-7d-13-92-63 11 Inactivity
Port Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left
----- -------- ----------------- ---- -------- ------------------
1/35 0 - - - no -
10-21-2009 07:54 AM
Hi,
The reason for this problem is, if you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of
restricting the traffic from that station.
For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting
the traffic from MAC-1.
Regards,
~JG
Do rate helpful posts
10-21-2009 01:33 PM
JG, thanks for the reply. I think you may be right. I had read that caveat before but I really didn't give it much consideration. The only port security enabled messages I ever saw on this switch were the %SECURITY-1-PORTSHUTDOWN messages. I never saw a message that a security violation was detected and that a host had been restricted, so I thought that port security was malfunctioning.
I think I discovered why though. The message relating to violations resulting in restrictions is SECURITY-5-RESTRICTADDRESS, and the default logging level for security related messages is 2. I have just changed the default to 5 because I want to receive these messages.
I think I would prefer to have the switch just remove the MAC from the original port and add it to the new port. However, I can't find any way to alter this behavior, and I don't think it can be done. Can it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide