Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC Address not captured on switch ports

In my environment we have 3750x switches running ios 15.0 (1) SE2.  We have port security mac address sticky configured on all our switch ports.  I noticed that we have several interfaces (on different switches) that are up but have not captured the MAC address from the workstation.  Here is one example:

interface GigabitEthernet2/0/11

switchport mode access

switchport port-security

switchport port-security mac-address sticky

spanning-tree portfast

end

SWIITCH(config)#do show mac address-t int g2/0/11
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

SWITCH(config)#do show int g2/0/11

GigabitEthernet2/0/11 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet, address is 70ca.9bca.760b (bia 70ca.9bca.760b)

    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5454502

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 63000 bits/sec, 51 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     56272056 packets output, 9223565276 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: MAC Address not captured on switch ports

I've recently experienced the same issue on a 3750 stack. The switch was initially installed however the first 12 ports would not capture the MAC address of directly connected hosts. Rebooting the switch changed nothing.

Removing the "switchport port-security" command on the individual interfaces and then re-applying it, solved the problem for me.

21 REPLIES
Silver

MAC Address not captured on switch ports

Hi Erik,

please can you also post output from this command?

show port-security interface g2/0/11

Best regards,

Jan

New Member

MAC Address not captured on switch ports

Jan, here is the output:

SWITCH#show port-security int g2/0/11

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0021.9b38.1ea9:1

Security Violation Count   : 0

VIP Super Bronze

Re: MAC Address not captured on switch ports

When a bridge receives a BPDU with the TC bit set from a neighbor, these occur:

It clears the MAC addresses learned on all its ports, except the one that receives the topology change.

It starts the TC While timer and sends BPDUs with TC set on all its designated ports and root port (RSTP no longer uses the specific TCN BPDU,         unless a legacy bridge needs to be notified).

So, do a sh spann vlan xx detail and see if there is a lots of topology changes

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfa.shtml

I also have seen some IP camera decoders that in order to see the MAC in the MAC table, you have to ping the device first.

HTH

New Member

Re: MAC Address not captured on switch ports

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 63000 bits/sec, 51 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     56272056 packets output, 9223565276 bytes, 0 underruns

From that output I can see that there are no packets coming in to the interface, and many packets out of it. A switch will not learn a MAC address if it doesn´t receive any packet from the host.

I´m curious on why it is not receiving any packets, I´ve seen this in a load-balancing configuration on the NICs(on servers for example, one NIC receives packets and the other NIC sends) but since this is a workstation I really doubt this is the cause.

So, the first question to ask is why the host is not sending any packets through this interface?

You may check NIC config, if you are using any sort of redundancy let us know.

Carlos

New Member

MAC Address not captured on switch ports

Carlos, I noticed that also, however since there are several ports behaving this way (on different switches) I check the other ports and saw that input packets are detected.  All of these ports have workstations (Windows 7) connected to them. I checked a few of the workstations and there are no network issues (just the MAC capture issue).

New Member

Re: MAC Address not captured on switch ports

I see, then it would be interesting to see the output of a debug arp command if it´s supported by your switch, as always recommended, if you are going to issue that command be careful of not doing it when the switch already has a lot of work to do because it overloads the processor, and the debug arp comes with an option of debugging just one interface so I would start there.

New Member

Re: MAC Address not captured on switch ports

Erik, we see exactly the same problem on stacks of 3750X switches running IOS 15.0 (1) SE2 (ipbase image).  It appears to affect only ports on stack members 2 or higher; we've configured stack member 1 as master in all cases, but I don't know if this is relevant.  In all cases the affected ports are "secured" to a single computer, and are configured with "spanning-tree portfast".  Here is a typical case:

#sh ru int g 2/0/1

interface GigabitEthernet2/0/1

switchport access vlan 502

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

speed auto 100

spanning-tree portfast

#sh port-security int g 2/0/1

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Restrict

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0021.86fa.95c4:502

Security Violation Count   : 0

#sh mac address-table int g 2/0/1          

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

These commands were run while the attached computer was happily answering "ping".  There doesn't appear to be anything at all wrong with the computer's network connectivity.

Something that may or may not be relevant:  With "debug port-security", logging shows many lines like this:

Mar 20 10:05:22.794: PSECURE: psecure_delete_address_not_ok: no port security subblock for Po48

Mar 20 10:05:23.817: PSECURE: psecure_delete_address_not_ok: no port security subblock for Po48

Mar 20 10:05:24.824: PSECURE: psecure_delete_address_not_ok: no port security subblock for Po48

Mar 20 10:05:24.824: PSECURE: psecure_delete_address_not_ok: no port security subblock for Po48

Mar 20 10:05:25.830: PSECURE: psecure_delete_address_not_ok: no port security subblock for Po48

Po48 is the port-channel uplink, configured as a dot1q trunk, to a distribution switch.  I haven't been able to find any reference to this debug message anywhere.

In short, we're seeing the same problem.  The only data points I have to add are (a) that it happens only on stack members greater than 1, and (b) that the affected ports are all configured with "spanning-tree portfast", and bpduguard is on, so I don't think BPDUs should be an issue.

I'm stumped.

Michael Assels

New Member

MAC Address not captured on switch ports

Hi Erik,

Hope ip routing is disabled on 3750 switch, use below method to find out interface using mac address database,

Ex- you are trying to find 172.16.1.20 host interface,

First ping from your core switch (L3) to 172.16.1.20 where host gateway (Ex.172.16.1.1) was configured,

then issue sh ip arp 172.16.1.20 on core,

here is your host mac address, then copy mac address and telnet to your host connected switch,

and issue sh mac address add xxxx.xxxx.xxxx

whoh! you have found interface of connected host,

HTH

MAC Address not captured on switch ports

Hi all,

The issue is that the host connected only receives traffic and does not sent - maybe does not send on this interface.

GigabitEthernet2/0/11 is up, line protocol is up (connected)

   ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5454502

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 63000 bits/sec, 51 packets/sec

Having in mind that the FDB is build by looking in the frame received on the port , and source mac address , and looking at the show interface output.

Regards

Dan

New Member

Re: MAC Address not captured on switch ports

Dan-Ciprian Cicioiu wrote:

The issue is that the host connected only receives traffic and does not sent - maybe does not send on this interface.

Dan,

I think the lack of traffic sent by the host on Erik's Gi2/0/11 interface is a red herring.  I see dozens of ports with the same problem -- i.e., MAC addresses not captured on switch ports -- but all of them send and receive traffic normally.  Again, I emphasize that this only happens on stacked 3750X switches, and never on the stack master (or at least, never on stack member 1, which happens to be the master).  I should also add that it happens on very roughly half the access ports that have link and line protocol up, and there doesn't appear to be any obvious pattern to the distribution of ports with the problem.

I can't speak for Erik, who originally raised the issue, but it certainly appears that he and I are seeing the same thing.

Regards,

Michael

New Member

Re: MAC Address not captured on switch ports

Thanks Kyle, removing and reapplying the port-security commands looks like it fixed the issue.

New Member

Re: MAC Address not captured on switch ports

Hi Erik,

Are you sure the problem is fixed?  I was able to "bring back" a port's sticky MAC address by removing and reapplying the port-security commands, but it disappears again as soon as there's a significant change to the port's state.  In particular, if you unplug that attached host and then plug it in again, the MAC address disappears again.  I get the same result by changing the VLAN and then changing it back, or by shutting down the port and then bringing it back up.

Michael

Bronze

Re: MAC Address not captured on switch ports

I've recently experienced the same issue on a 3750 stack. The switch was initially installed however the first 12 ports would not capture the MAC address of directly connected hosts. Rebooting the switch changed nothing.

Removing the "switchport port-security" command on the individual interfaces and then re-applying it, solved the problem for me.

New Member

Re: MAC Address not captured on switch ports

Kyle McKay wrote:

[...]

Removing the "switchport port-security" command on the individual interfaces and then re-applying it, solved the problem for me.

Hmm.  That looked really promising, but unfortunately, it didn't work for me.

In case in stimulates anyone's memory, I have more snippets of logging output from "debug port-security":

[...]

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/15

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/16

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7E3FE6C<001a.a015.6011:540> on Gi2/0/17

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/17

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/18

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7DEEE84<001a.a016.5892:540> on Gi2/0/19

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/19

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7DD808C<001a.a015.498a:540> on Gi2/0/20

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/20

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/22

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7B16A94<0000.a703.674b:601> on Gi2/0/23

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/23

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/33

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7800AD4<0021.86fa.93b1:540> on Gi2/0/34

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/34

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7F1D30C<0021.86fa.91f0:540> on Gi2/0/35

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/35

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/36

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/37

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7C4B634<0021.86fa.933a:540> on Gi2/0/38

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/38

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning 0x7C9AA84<0021.86fa.932d:540> on Gi2/0/39

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/39

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/40

Mar 20 15:08:47: PSECURE: psecure_get_next_mac_from_hat: returning NULL on Gi2/0/41

[... etc., up to Gi6/0/48 ...]

The cases where only "NULL" is returned correspond exactly to the ports that are up and working but apparently without recorded MAC addresses.  The "missing" ports (e.g., Gi2/0/21, and Gi2/0/24-32) are not configured for port-security.  Again, searching for "psecure_get_next_mac_from_hat" yields no information on either Cisco's site or elsewhere.

Michael

New Member

Re: MAC Address not captured on switch ports

I think I've found a definitive but disappointing answer.  It's a known bug:  CSCtx96215.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx96215&from=summary

Slave switches missing port-security sticky mac-address entries

Symptom:

A port-security sticky mac-address is missing from a slave's CAM table

Conditions:

The problem is seen only when port-security with port-security

Workaround:

None at this time

Its status is "Severe".  It appears to affect every version of IOS since 12.2(40)SE.

So, while our problem isn't solved, at least it's understood.

Michael

New Member

Re: MAC Address not captured on switch ports

Since there seems to be renewed interest here, I'll add my two cents worth:  Cisco engineers managed to identify the problem we were experiencing as a new bug -- CSCtz07523 -- first found in 15.0(1)SE, that is fixed in a pending release.  The bug details are copied below, although in our experience, the "workaround" doesn't work at all.  We've been working with a specially patched engineering image for a few months now, and are anxiously awaiting the pending release.

Michael

CSCtz07523            Bug Details

Slave switches miss port-sec sticky mac entries
Symptom:
Slave switches miss port-security sticky mac entries

Conditions:
15.0SE2, 3750X stack with port-security enabled

Workaround:
removing "switchport port-security" and re-applying may workaround the issue
New Member

Re: MAC Address not captured on switch ports

Just to add my recent experience.

This recently happened on one of my many 3750X stacks. I am currently running IOS 12.2.-58.SE1 version, going to upgrade to the most recent 15.0-1.SE2, but not sure if this is going to resolve.

Only some of the ports were affected. As soon as I removed portswitch security and applied it again, it worked. I did not have much time to capture anything, had to fix quickly, but am absolutely sure it has nothing to do with physical layer.

Heard that this could be related to the way how the stack is booted, means the boot sequence of the members in the stack. I have a lot of such stacks and this is the first time I've seen something like this.

My port settings are like these, so I do not use mac address sticky

!

interface GigabitEthernet1/0/23

switchport access vlan xx

switchport mode access

switchport voice vlan yy

switchport port-security maximum 25

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

ip device tracking maximum 10

ip arp inspection trust

ip arp inspection limit rate 256 burst interval 15

no logging event link-status

srr-queue bandwidth share 10 80 5 5

srr-queue bandwidth shape 0 0 0 0

priority-queue out

snmp trap mac-notification change added

snmp trap mac-notification change removed

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input Policy_Voice

ip dhcp snooping limit rate 10

!

Vlad

New Member

Re: MAC Address not captured on switch ports

The same happened on one of our other new 3750X stacks recently. This time the IOS version is 12.2(55)SE3, basically because we plan to add older 3750 switches into this stack in the near future.

I've opened a Cisco case for this particular one.

Will see their answer.

Vlad

New Member

Re: MAC Address not captured on switch ports

I am able to reproduce my issue in my lab. Had two calls with Cisco, showed them it. Their expert confirms this is a bug in IOS,  and is a stack synchronization issue. They are going to fix in next IOS release.

The way how you can verify that you have THE same kind of issue as is mine is that you enter this command

remote command all show port-security int g2/0/1

and if you see that port security is enabled on the primary stack member  1 but is disabled on the stack member 2 it is a stack synchronization issue.

Silver

Re: MAC Address not captured on switch ports

Vlad,

thank you for sharing this kind of information! I believe it is very useful!

This deserves points and a big THANKS.

Best regards,

Jan

New Member

Re: MAC Address not captured on switch ports

Cisco inform they are able  to recreate the issue in their lab and have filed a bug  - CSCub20606, which is Cisco internal bug ID only.

Vlad

16844
Views
10
Helpful
21
Replies
CreatePlease to create content