Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CatOS port security problem

C6509-E, Sup32 PFC3B CatOS 8.4(5)

I have port security configured as follows:

set port security 1/35 enable age 5 maximum 2 shutdown 0 unicast-flood enable violation restrict timer-type inactivity

Yet when a violation occurs, the port shuts down.

%SECURITY-1-PORTSHUTDOWN:Port 1/35 shutdown due to security violation 00-1d-7d-13-92-63

Is there something I am missing here, or is this possibly a bug?

Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex

----- -------- --------- ------------- -------- -------- -------- -------

1/35 enabled restrict 0 5 2 disabled 144

Port Flooding on Address Limit Last-Src-Addr Vlan TimerType

----- ------------------------- ----------------- ---- ----------

1/35 Enabled 00-1d-7d-13-92-63 11 Inactivity

Port Num-Addr Secure-Src-Addr Vlan Age-Left Shutdown/Time-Left

----- -------- ----------------- ---- -------- ------------------

1/35 0 - - - no -

2 REPLIES

Re: CatOS port security problem

Hi,

The reason for this problem is, if you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of

restricting the traffic from that station.

For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting

the traffic from MAC-1.

Regards,

~JG

Do rate helpful posts

New Member

Re: CatOS port security problem

JG, thanks for the reply. I think you may be right. I had read that caveat before but I really didn't give it much consideration. The only port security enabled messages I ever saw on this switch were the %SECURITY-1-PORTSHUTDOWN messages. I never saw a message that a security violation was detected and that a host had been restricted, so I thought that port security was malfunctioning.

I think I discovered why though. The message relating to violations resulting in restrictions is SECURITY-5-RESTRICTADDRESS, and the default logging level for security related messages is 2. I have just changed the default to 5 because I want to receive these messages.

I think I would prefer to have the switch just remove the MAC from the original port and add it to the new port. However, I can't find any way to alter this behavior, and I don't think it can be done. Can it?

338
Views
4
Helpful
2
Replies