Calin:

Thank you for your interest in this issue.

We've amended the violation mode to the default (shutdown), but the output from "show port-security int fa0/7" continues to indicate Total MAC Addresses: 0

Likewise, the MAC address is not observed in output from "show port-security address" or "show mac address-table".

There is no indication that the address has been learned. There is also no indication of any violations to recover from.

The change in aging time did not bring about any change in behavior.

As soon as we configure a static MAC address (e.g.: switchport port-security mac-address aaaa.bbbb.cccc vlan access), network access is gained. This behavior has been re-verified.

Best Regards,

Mike

This issue made me curious so, I setup a C3550, with c3550-ipservicesk9-mz.122-25.SEE4 and test on one port:

interface FastEthernet0/33

switchport mode access

switchport port-security

switchport port-security violation protect

end

sw3-c3550(config-if)#do sh port-security int fa0/33

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Protect

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0014.6a4d.2320:1

Security Violation Count   : 0

Calin:

Thank you for your ongoing interest, and investigation. The following output is provided per your request.

dist-01#sh run int fa0/7

interface FastEthernet0/7
description
switchport access vlan
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
no keepalive
no cdp enable
spanning-tree guard root
ip dhcp snooping limit rate 15

dist-01#sh port-security int fa0/7

Port Security                         : Enabled
Port Status                              : Secure-up
Violation Mode                         : Restrict
Aging Time                              : 0 mins
Aging Type                              : Absolute
SecureStatic Address Aging     : Disabled
Maximum MAC Addresses          : 1
Total MAC Addresses               : 0
Configured MAC Addresses          : 0
Sticky MAC Addresses               : 0
Last Source Address:Vlan          : 0000.0000.0000:0
Security Violation Count          : 0

With port-security, and after Ping to SVI:

dist01#sh mac address-table int fa0/7

Mac Address Table
-------------------------------------------

Vlan                      Mac Address           Type          Ports
----                           -----------                --------            -----

Without port-security, and after Ping to SVI:

dist01#sh mac address-table int fa0/7

Mac Address Table
-------------------------------------------

Vlan                      Mac Address           Type          Ports
----                           -----------                --------             -----
         aaaa.bbbb.cccc        DYNAMIC     Fa0/7

Total Mac Addresses for this criterion: 1

Only one ingress source MAC address observed on Fa0/7. We've never observed a port-security violation on the interface.

Best Regards,
Mike

For what its worth, I am using the same IOS on a WS-C3550-24-PWR and also having problems with Port Security. I have been unable to get Port Security to register a violation and the port is never placed in the err-disabled state. Here is what I have done...

I configured my switchport as follows:

!

interface FastEthernet0/23

switchport access vlan 5

switchport mode access

switchport port-security

switchport port-security mac-address 18a9.0597.7d55 vlan access

end

I connected a laptop with MAC address 18a9.0597.7d55 to the switch port. The laptop obtained its IP configuration dynamically and I pinged several switches and routers in the topology.

I confirmed the MAC address had been learned in the CAM with a show mac address-table interface FastEthernet0/23 command.

Then I disconnected the first laptop and connected another one, which should have triggered a Port Security violation. The second laptop could not obtain its IP configuration from DHCP and even after I applied a static configuration I could not ping any hosts. Windows Vista responded with a "Destination Unreachable" error message.

This is not surprising since the MAC address from the first laptop remained in the CAM and did not age out. However, when I used the show port-security interface FastEthernet0/23 command, I saw the following...

Port Status: Secure-up

Last Source Address:Vlan:0000.0000.0000:0

Security Violation Count: 0

show interfaces status err-disabled returned nothing.

I then reconnected the first laptop to the switch port and it operated flawlessly, proving that the port remained up.

This is not the expected behavior for Port Security. I tried working around this problem using different ports and different computers but I was never able to trigger a Port Security violation. I have never been able to force any other values for the three status fields above.

If there is a known flaw in this IOS on the Catalyst 3550 I would like to know about that.

Thank you,

Kevin

Kevin:

Perhaps we can assist one another. We have verified your results with similar testing here.

Host-A connected to fa0/7

We added a static secure MAC address (for Host-A) to the port-security configuration of fa0/7, and then issued the "sh port-security interface fa0/7" command:

dist01#sh port-security interface fa0/7

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

We verified the presence of Host-A's MAC address on port fa0/7 by issuing the "sh mac address-table dynamic" command.

We successfully pinged the SVI from Host-A. Output of  "sh port-security interface fa0/7" continued to indicate "Last Source Address:Vlan: 0000.0000.0000:0". Perhaps this field is intended for Dynamic Port Security only.

Host-A disconnected from fa0/7

dist01#sh port-security interface fa0/7
Port Status                : Secure-down
Last Source Address:Vlan   : 0000.0000.0000:0

When Host-A was disconnected from fa0/7, the port status changed to "Secure-down", and Host-A's MAC address was removed from the MAC address table (verified with "sh mac address-table dynamic" command).

Host-B connected to fa0/7

When Host-B was connected to fa0/7, the port status changed to "Secure-up", and the Security Violation Count remained at "0". However, Host-B (configured with a static IP) was unable to obtain a ping reply from the SVI.

dist01#sh port-security interface fa0/7
Port Status                : Secure-up
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

We issued the "sh int status err-disabled" command, and there were still no interfaces in an err-disable state.

We verified the presence of "Host-A's" MAC address on port fa0/7 by issuing the "sh mac address-table dynamic" command. The "configured" static secure MAC address is still that of Host-A, and not Host-B.

To eliminate other contributing factors, we amended the static secure MAC address on fa0/7 to that of Host-B. Host-B was then able to ping the SVI successfully.

During our test, we did not observe any indication of a Security Violation, or any interface being placed in an err-disable state. This was contrary to our expectations as well.

...

Our Issue

We have not been sucessful with Dynamic Port Security on this platform (c3550), with the specified IOS (c3550-ipservicesk9-mz.122-52.SE).

An attached host has not been able to access the network without specifying a "static" secure MAC address.

Are you able to confirm this behaviour on your device?

Best Regards,

Mike

Kevin:

Thank you for investing your time, on our issue. It is very much appreciated.

Best Regards,

Mike