Thanks a lot Mark for the response.

We recently had an issue with same mac address learnt in 2 edge ports on 2 different switches connecting to same core switches. We completely lost connection to that critical device.

Both the edge ports are configured with ageing time 1 minute. The site confirmed that there was no re-patching of the device. Even if there was any re-patch, I would expect after 1 minutes the mac would clear from the previous interface. Is it caused by Cisco bug?

switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security

Hi just because a mac was learnt in by 2 different ports on same device should not take it offline , I would have thought the timer may reset but that's about it , macs will often be learnt in by more than one port as they can be broadcast out and there may be multiple uplinks on the switches

If your saying you had 2 different edge access port that are not operating as trunks but as individual devices with same mac address attached then you had some form of duplication issue and that may well have taken it offline

clearing the arp for the particular ip associated with the mac and bouncing the ports can usually clear something like that unless someone has manually programmed a static incorrectly somewhere it will keep occurring

did you check the ARP table for that mac when the issue was occurring did it have multiple ips associated  ?

Hi Mark,

my case is the below

"If your saying you had 2 different edge access port that are not operating as trunks but as individual devices with same mac address attached then you had some form of duplication issue and that may well have taken it offline"

We have been noticing some issues with a site having few critical devices. During the last occurrence we noticed that the device was pingable only from one of the core switch. Not from the other core switch which was HSRP active that point.

mac address duplication is very unlikely. and that to devices with same mac ending up at same site.

Nope, I could not check the ARP entry that time. I was trying to clear the MAC entry from the wrong edge port and issue resolved as soon as it was done!

Hi sorry what I meant was ip duplication for that particular mac address , if the ip is attached to that mac by dhcp and someone has also statically assigned it to device causing duplication and mac been seen as if its originating from 2 places due to the incorrect config at network layer like below extract had an issue like it other day

sw-core#sh ip arp 189.x.x.142

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  189.x.x.x.x       18   ecf4.bb3c.55a8  ARPA   Vlan1

sw-edinburgh#sh ip arp 189.x.x.159

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  189.x.x.159         0   ecf4.bb3c.55a8  ARPA   Vlan1

Yes, this looks like 2 different IPs recorded against same MAC addresses in ARP table.

In my case same MAC was seen on 2 different edge ports on 2 different access switches.

Are these hosts connected through an IP phone?  If so, you can get problems with port security when you move the host.  The original port is kept "up" by the phone, and so the security entry is not cleared down until is ages out.  When you plug the host into the new port you get that ambiguity, and likely an err-disable.

For the same reason it is not a good idea to put port security on a distribution switch.  Port security should be on the edge ports only.

Kevin

Hi Kevin,

The hosts are not connected through IP phones. They are like huge devices used for conveyor belts. But they are definitely  connected to access layer switches with port-security on.