2960X Port Security issues

James Drake · ‎10-15-2014

Hi all,

We have 8 stacks of 2960Xs, which we installed earlier this year. For the past few months, we have been running into many issues with port security. It started with ports with IP phones. We originally used a port security max of 2 (one for phone and one for PC), but then found out that sometimes the phones use 2 MACs (one for data and one for voice), so we bumped them up to max of 3.

Now we are running into issues where the switches are logging violations and even going err-disabled on ports with only a PC. The switches, on some ports, show a max of 2 with 1 in use, and still log violations (only one device connects to the port and no virts). I have had to bump ports up as high as max 5 for it to stop logging violations for 1 PC with no virts on it. We also have a port that is a max of 5 and showing 2 in use, but still logs violations. I have also seen ports with nothing connected logging port-security violations.

It is not all of the stacks, but definitely our 5 heaviest used stacks.

Has anyone run into this? Is this a software bug? Any advice?

Thanks,

James

houtan haddadlarijani · ‎10-15-2014

have you run "#debug port-security" on any of switches?

If did, what's the output?

James Drake · ‎11-20-2014

Sorry for the delayed response, but I wanted to wait until our next round of deployments.

This morning, I had a port with phone+desktop. Port security was set to 3 max, was showing 2 addresses for the port, but logging security violations and keeping the phone from registering.

Disconnected devices and started debug port-sec, but didn't get any output after connecting everything. However, this is the output from sh logging for that port this morning:

RVAPsw22#sh logg | i 3/0/10
Nov 20 09:23:33.372 EST: PSECURE: Install IP Phone 6cfa.8903.fc2c on interface GigabitEthernet3/0/10  on vlan 1022
Nov 20 09:23:33.372 EST: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 6cfa.8903.fc2c, swidb = Gi3/0/10, vlan = 1022, linktype = NullPak
Nov 20 09:23:33.375 EST: PSECURE: swidb = GigabitEthernet3/0/10 mac_addr = 6cfa.8903.fc2c vlanid = 1022
Nov 20 09:23:33.375 EST: PSECURE: Adding 6cfa.8903.fc2c as dynamic on port Gi3/0/10 for vlan 1022
Nov 20 09:23:33.374 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Nov 20 09:23:39.484 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Nov 20 09:23:51.486 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Nov 20 09:24:07.498 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Nov 20 09:24:28.308 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)
Nov 20 09:24:33.734 EST: PSECURE: Install IP Phone 6cfa.8903.fc2c on interface GigabitEthernet3/0/10  on vlan 1022
Nov 20 09:24:33.734 EST: PSECURE: psecure_packet_enqueue: psecure receives a packet: addr = 6cfa.8903.fc2c, swidb = Gi3/0/10, vlan = 1022, linktype = NullPak
Nov 20 09:24:33.738 EST: PSECURE: swidb = GigabitEthernet3/0/10 mac_addr = 6cfa.8903.fc2c vlanid = 1022
Nov 20 09:24:33.738 EST: PSECURE: Adding 6cfa.8903.fc2c as dynamic on port Gi3/0/10 for vlan 1022
Nov 20 09:24:33.555 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6cfa.8903.fc2c on port GigabitEthernet3/0/10. (RVAPsw22-3)

Below is the output from 'sh auth sess' while the port was logging violations:

RVAPsw22#sh auth sess int gi3/0/10
            Interface:  GigabitEthernet3/0/10
          MAC Address:  0019.bb46.70cc
           IP Address:  x.x.x.14
            User-Name:  xxxxx
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A5F01160001E1CF9EC04C60
      Acct Session ID:  0x000295A0
               Handle:  0x210008AF

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

----------------------------------------
            Interface:  GigabitEthernet3/0/10
          MAC Address:  6cfa.8903.fc2c
           IP Address:  Unknown
            User-Name:  6C-FA-89-03-FC-2C
               Status:  Authz Success
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A5F01160001E1D09EC0562A
      Acct Session ID:  0x000295A1
               Handle:  0xF200084B

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

Below is the configuration for that port:

interface GigabitEthernet3/0/10
 switchport access vlan 22
 switchport mode access
 switchport voice vlan 1022
 switchport port-security maximum 3
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip access-group ACL-ALLOW-ALL in
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 authentication event fail action next-method
 authentication event server dead action authorize vlan 22
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 no snmp trap link-status
 mls qos trust device cisco-phone
 mls qos trust cos
 macro description cisco-phone
 dot1x pae authenticator
 dot1x timeout tx-period 10
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end

I bumped port security max on that port up to 4 and was able to get the phone to register, but this is not the desired configuration. If anyone is able to look at the config and make any suggestion, I would much appreciate it!

Thanks,

James

pfuhrmann82 · ‎04-01-2016

Hello James,

I wonder if you found a way to solve this issue?

I recently encoutered the same problem here on a 2960x-Switch. our port-configuration is not so much as yours but in regards of the port-security it seems the same:

SWITCH#sh run int Gi2/0/2
Building configuration...

Current configuration : 342 bytes
!
interface GigabitEthernet2/0/2
 description Userport.....
 switchport access vlan 61
 switchport mode access
 switchport port-security maximum 6
 switchport port-security violation restrict
 switchport port-security aging time 1
 switchport port-security aging type inactivity
 switchport port-security
 ip dhcp snooping limit rate 10
end

I also wonder if this behaviour is related to the bug CSCuv29825?

Have a nice day!

phil

Edit: Also may this behaviour related to the fact that diffrent switches were used in that stack (WS-C2960X-48FPD-L stacke with WS-C2960X-24PD-L)