Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

packet drops on 2960 with port-security enabled

Hello,

We are using the following port-security configuration on user access ports on Cisco 2960 switches, in order to protect the infrastructure to prevent MAC flooding attacks:

switchport port-security maximum 10

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

There is a problem with the more "quiet" hosts, especially in technology - every time the MAC address ages out, the first packets (an ARP request usually) sent by the host is dropped by the switch. There is no violation logged, the switch should be OK to forward the packets but doesn't:

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Restrict

Aging Time                 : 1 mins

Aging Type                 : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 10

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0011.aabb.ccdd:11

Security Violation Count   : 0

When port-security is turned off, all packets are forwarded without trouble. This is happening on both WS-C2960-24TT-L and WS-C2960-8TC-L, with IOS 12.2(35)SE1 and 12.2(50)SE5, respectively. I didn't check other models yet.

I have found similar reports and bugs for the 2950 and 3750:

https://supportforums.cisco.com/thread/163910

https://supportforums.cisco.com/message/89560

https://tools.cisco.com/bugsearch/bug/CSCeg63177

https://tools.cisco.com/bugsearch/bug/CSCec21652

Is there anything we can do to fix this?

Is there an access switch that would not suffer from this problem? (Like 2960-S maybe?)

Thank you.

Everyone's tags (3)
487
Views
0
Helpful
0
Replies
CreatePlease to create content