Port security with static mac addresses

Reza Nashvi · ‎09-05-2010

Hi all,

I'm running port security on a couple of 2950s and 3550s. When I check my mac-address-table there are some static mac addresses although I don't have any hard coded or sticky mac address setting. The problem is when those ports which are showing as static go to error disable I can't bring them back up. I tried to clear the mac table but there is no option for static mac addresses and it just deletes dynamic mac addresses, the only way I can get ride of them is to restart the switch which is a pain in production network. Does anyone know why this ports are showing as static and how to clear them. I'm not sure if I'm doing something stupid in my configuration. Here is a sample of my configuration for each port:

interface FastEthernet0/1
description 1A
switchport mode access
switchport port-security
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable

And also an example of some static mac addresses:

   1    0004.290c.7680    DYNAMIC     Gi0/1
   1    000b.6a15.de79    DYNAMIC     Gi0/1
   1    000c.f15e.f687    DYNAMIC     Gi0/1
   1    0011.1162.c758    DYNAMIC     Gi0/1
   1    0011.11c9.835b    STATIC      Fa0/28
   1    0012.018c.f541    DYNAMIC     Gi0/1
   1    0012.d92e.3195    DYNAMIC     Gi0/1
   1    0012.d92e.3196    DYNAMIC     Gi0/1
   1    0012.d92e.3197    DYNAMIC     Gi0/1
   1    0013.21f3.d137    STATIC      Fa0/5
   1    0013.21fa.cc77    STATIC      Fa0/36
   1    0013.21fb.ac4b    DYNAMIC     Gi0/1
   1    0014.385c.c38e    DYNAMIC     Gi0/1
   1    0014.c2c4.451d    STATIC      Fa0/3
   1    0014.c2c8.f845    DYNAMIC     Gi0/1
   1    0015.608a.2ff0    DYNAMIC     Gi0/1
   1    0015.62dc.ac00    DYNAMIC     Gi0/1
   1    0015.62dc.ac31    DYNAMIC     Gi0/1
   1    0015.9948.263b    STATIC      Fa0/14
   1    0016.3561.581d    DYNAMIC     Gi0/1
   1    0016.35a4.f98d    DYNAMIC     Gi0/1
   1    0016.4154.1b53    STATIC      Fa0/2
   1    0016.d3af.2cd0    STATIC      Fa0/24
   1    0019.5644.d783    DYNAMIC     Gi0/1
   1    0019.5644.d7c0    DYNAMIC     Gi0/1
   1    001b.77b2.8bde    DYNAMIC     Gi0/1
   1    001b.7827.4b08    STATIC      Fa0/7

Thanks for your help.

Regards,

Reza

Jennifer Halim · ‎09-06-2010

Please share the output of "sh run interface fa0/28" and "sh run | i arp"

Reza Nashvi · ‎09-06-2010

Hi,

Here is the configuration:

Current configuration : 193 bytes
!
interface FastEthernet0/28
description 30A
switchport mode access
switchport port-security
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
end

and also there is no output for show runn | include arp as below:

NTC-ACCESS2#show running-config | i arp
NTC-ACCESS2#

Regards,

Reza

Jennifer Halim · ‎09-06-2010

With port security maximum 2, it will only allow 2 MAC addresses to be seen on that particular port.

When the port went into errdisable mode, instead of reloading the whole switch, you can do a shut/no shut on that particular port, and that would take it out of errdisable mode.

Reza Nashvi · ‎09-06-2010

unfotunately it doesn't. I've tried it many times. When the port shows as dynamic yes, I can run shut/no shut and it will be up but when it's static, as soon as I run "no shut" it goes to err-disable again and also the static mac address stays there for ever until I restart the switch.

Regards,

Reza

Jennifer Halim · ‎09-06-2010

Please use the "errdisable recovery" command to reenable the error discovery port.

Here is the URL for your reference:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml

Reza Nashvi · ‎09-06-2010

I have it activated as below but it just keeps trying to bring the port back up with no result.

NTC-ACCESS2#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
vmps                 Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
unicast-flood        Enabled
loopback             Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

NTC-ACCESS2#

Regards,

Reza

Jennifer Halim · ‎09-06-2010

From the output of "show errdisable recovery", it doesn't seem to be any interfaces that are in errdisable states?

Reza Nashvi · ‎09-06-2010

No there is nothing at the moment because I restarted the switch this morning and also it happens only a couple of times every month. My question is why those mac addresses are showing as static? The port goes to error disable when people connect new devices to those ports. For example let's say there is a static MAC address on a port and the user connects another 2 device to that port, in this case port goes to errdiable despite there is only 2 mac addresses connected to it but because of that static mac address switch presumes that there are 3 MACs.

Best regards,

Reza