05-10-2014 05:18 AM - edited 03-07-2019 07:24 PM
Dear Team,
We have recently installed c2960-x stack switches . We have stacked 6 switches . It is running with c2960-univ-150-2-EX5.bin IOS. We are facing portsecrurity issues.
The setup is switch --> Cisco 7940----> PC.
The issue is that PC's are not able to get IP when connected from vnet but they are able to get IP when connected directly to I/O port.
In the logs we are seeing error as port - security violation.
We have configured the ports in below format.
interface gi1/0/1
switchport mode access
switchport access vlan x
switchport voice vlan y
switchport port-security
switchport port-security maximum 4
switchport port-security violation restrict
switchport port-security aging 2
storm control and spanning-tree configurations
Initially we configured port security maximum value as 2.After users started complaining we changed the maximum value to 3. It was fine for two days and again the issues started to come. So, we again increased the value to 4 and it was fine for couple of days and the issue has started again. After i change the value to 5 switch is able to read the MAC and PC is gettingIP. Again if i change the value back to 4 for that particular port, PC connected to that port is still gettin IP.
Kindly require some suggestions for this issue.
Regards,
Avinash
05-10-2014 05:06 PM
What is this "vnet"? It sounds like this "vnet" is some kind of a glorified hub.
05-11-2014 11:38 PM
I referred cisco 7940 phone as vnet
05-11-2014 11:42 PM
Check this for the IpPhone + port-security:
https://supportforums.cisco.com/discussion/11703716/port-security-mac-address-max-and-voip-umpteenth-time
As I told before it pls check what addresses are learnt on the switch by port-security. It can happen that someone plugs new PC to the same phone and that will add new MAC learnt...
Niko
05-11-2014 01:39 AM
Agree with Leo,
Not clear what is VNET. Seems that some devices are connected to same switch port through this vnet occupying MAC in port-security. On switch you can check show port-secusirty address to see which addresses are learnt and then you may trace those.
Niko
05-11-2014 11:45 PM
I referred cisco 7940 phone as VNET.
Please find the output below and suggest if any changes are to be made.
switch#show port-security interface gi2/0/33
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan :<removed>
Security Violation Count : 173743
note: 1 desktop and 1 phone is connected to evry port.
05-11-2014 11:57 PM
I was telling about the different command - show port-security address ...
05-12-2014 08:34 PM
Hi,
I am having strange issue related to port security....
please follow below link.
https://supportforums.cisco.com/discussion/12197626/mac-address-not-getting-sticked
05-11-2014 09:13 PM
Hi,
Since u have allowed max 4 mac addresses,every time new PC connects it violates the security.
I will suggest u apply <switchport port-security mac-address sticky> under the switch port.
This will help u see current mac addresses attached to the ports using < show run int gi1/0/1>
Regards,
Mitesh
05-12-2014 12:10 AM
Hi Nitesh,
There are no laptop users and hence the possibility of connecting a new PC is relatively low.
05-26-2014 10:48 PM
Hi all,
As of now we have set port-security maximum value to 5. Still we are seeing the portsecurity violation error and only one MAC can be learned through the port in which violation has been reported. Kindly advise on this.
we are also seeing following errors flooded in show logging:
124847: May 27 11:12:49.447 IST: PSECURE: Assert failure: psecure_sb->info.num_addrs <= psecure_sb->max_addrs: ../switch/psecure/psecure_utils.c: 144: psecure_update_address_counts (Switch-6)
124848: May 27 11:12:49.447 IST: -Traceback= 42FB48z 240E8E0z 241B7E0z 241E0BCz 6E194z 6B30Cz 20E05B0z 21DA938z 27134A4z 270D6E4z (Switch-6)
Eventhough these errors are regarded as IOS bug, whether these logs have any effect on this issue.
Kindly share your thoughts on this.
Regards,
Avinash
02-13-2023 04:30 AM
Hi avinash,
i have similar issue , how did you get this problem resolved
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: