Issue: If we configure Port Security with a "dynamic" secure MAC address, an attached host can not gain access to the network.
Observation: If we configure Port Security with a "static" secure MAC address (not what we want), access is gained.
Unrestricted network access with:
switchport access vlan 100
switchport mode access
no cdp enable
spanning-tree guard root
ip dhcp snooping limit rate 15
Application of these commands on Fa0/7:
switchport port-security violation restrict
... results in a loss of connectivity for the host.
Output "following application of" dynamic secure MAC address configuration:
- show mac address-table dynamic: No longer shows the host MAC address (even after Ping from host).
- show interface fa0/7 status: Connected.
- show interface status err-disabled: None
- show port-security interface fa0/7: Secure-up, Total MAC Addresses: 0 (even after Ping from host), Security Violation Count: 0
- show port-security address: Host MAC address not listed.
The following do not resolve the issue:
- Cycling status of the interface (shutdown, no shutdown).
- Disconnecting and reconnecting the station cable.
- Cycling power on the host.
Anyone observe this behaviour on this platform and/or find a resolution?
I finally found some time to return to this issue. I was able to replicate your results on three Catalyst 3550 switches with the same IOS. I subsequently replaced the IOS image on them with c3550-ipservicesk9-mz.122-44.SE6.bin and although I did not perform thorough testing, it is clear to me that Port Security now operates as expected. Therefore I believe my original suspicion that the installed IOS version was either incorrect or buggy is confirmed.