Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1546
Views
0
Helpful
11
Replies

Port Security issue in 2960 stack

avinash2092
Level 1
Level 1

‎05-10-2014 05:18 AM - edited ‎03-07-2019 07:24 PM

Dear Team,

We have recently installed  c2960-x stack switches . We have stacked 6 switches . It is running with c2960-univ-150-2-EX5.bin IOS. We are facing portsecrurity issues. 

 

The setup is switch --> Cisco 7940----> PC.

 

The issue is that PC's are not able to get IP when connected from vnet but they are able to get IP when connected directly to I/O port.

In the logs we are seeing error as port - security violation.

We have configured the ports in below format.

interface gi1/0/1

switchport mode access

switchport access vlan x

switchport voice vlan y

switchport port-security

switchport port-security maximum 4

switchport port-security violation restrict

switchport port-security aging 2

storm control and spanning-tree configurations

 

Initially we configured port security maximum value as 2.After users started complaining we changed the maximum value to 3. It was fine for two days and again the issues started to come. So, we again increased the value to 4 and it was fine for couple of days and the issue has started again. After i change the value to 5 switch is able to read the MAC and PC is gettingIP. Again if i change the value back to 4 for that particular port, PC connected to that port is still gettin IP.

 Kindly require some suggestions for this issue.

 

Regards,

Avinash

 

 

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-10-2014 05:06 PM

What is this "vnet"?  It sounds like this "vnet" is some kind of a glorified hub.

 

0 Helpful

avinash2092
Level 1
Level 1
In response to Leo Laohoo

‎05-11-2014 11:38 PM

I referred cisco 7940 phone as vnet

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to avinash2092

‎05-11-2014 11:42 PM

Check this for the IpPhone + port-security:

 

https://supportforums.cisco.com/discussion/11703716/port-security-mac-address-max-and-voip-umpteenth-time

As I told before it pls check what addresses are learnt on the switch by port-security. It can happen that someone plugs new PC to the same phone and that will add new MAC learnt...

Niko

HTH,
Niko
0 Helpful

nkarpysh
Cisco Employee
Cisco Employee

‎05-11-2014 01:39 AM

Agree with Leo,

 

Not clear what is VNET. Seems that some devices are connected to same switch port through this vnet occupying MAC in port-security. On switch you can check show port-secusirty address to see which addresses are learnt and then you may trace those.

 

Niko

HTH,
Niko
0 Helpful

avinash2092
Level 1
Level 1
In response to nkarpysh

‎05-11-2014 11:45 PM

I referred cisco 7940 phone as VNET.

Please find the output below and suggest if any changes are to be made.

switch#show port-security interface gi2/0/33
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   :<removed>
Security Violation Count   : 173743

note: 1 desktop and 1 phone  is connected to evry port.

 

0 Helpful

nkarpysh
Cisco Employee
Cisco Employee
In response to avinash2092

‎05-11-2014 11:57 PM

I was telling about the different command -  show port-security address ...

HTH,
Niko
0 Helpful

Mitesh Manwatkar
Level 1
Level 1
In response to nkarpysh

‎05-12-2014 08:34 PM

Hi,

I am having strange issue related to port security....

please follow below link.

https://supportforums.cisco.com/discussion/12197626/mac-address-not-getting-sticked 

0 Helpful

Mitesh Manwatkar
Level 1
Level 1

‎05-11-2014 09:13 PM

Hi,

Since u have allowed max 4 mac addresses,every time new PC connects  it violates the security.

I will suggest u apply <switchport port-security mac-address sticky> under the switch port.

This will help u see current mac addresses attached to the ports using < show run int gi1/0/1>

 

Regards,

Mitesh

0 Helpful

avinash2092
Level 1
Level 1
In response to Mitesh Manwatkar

‎05-12-2014 12:10 AM

Hi Nitesh,

There are no laptop users and hence the possibility of connecting a new PC is relatively low.

0 Helpful

avinash2092
Level 1
Level 1

‎05-26-2014 10:48 PM

Hi all,

As of now we have set  port-security maximum value to 5. Still we are seeing the portsecurity violation error and only one MAC can be learned through the port in which violation has been reported. Kindly advise on this.

we are also seeing following errors flooded  in show logging:

124847: May 27 11:12:49.447 IST: PSECURE: Assert failure: psecure_sb->info.num_addrs <= psecure_sb->max_addrs: ../switch/psecure/psecure_utils.c: 144: psecure_update_address_counts (Switch-6)
124848: May 27 11:12:49.447 IST: -Traceback= 42FB48z 240E8E0z 241B7E0z 241E0BCz 6E194z 6B30Cz 20E05B0z 21DA938z 27134A4z 270D6E4z (Switch-6)

 Eventhough these errors are regarded as IOS bug, whether these logs have any effect on this issue.

Kindly share your thoughts on this.

 

Regards,

Avinash 

 

0 Helpful

ahmtaha
Cisco Employee
Cisco Employee

‎02-13-2023 04:30 AM

Hi  avinash,

i have similar issue , how did you get this problem resolved

 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card