Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Security issue in 2960 stack

Dear Team,

We have recently installed  c2960-x stack switches . We have stacked 6 switches . It is running with c2960-univ-150-2-EX5.bin IOS. We are facing portsecrurity issues. 

 

The setup is switch --> Cisco 7940----> PC.

 

The issue is that PC's are not able to get IP when connected from vnet but they are able to get IP when connected directly to I/O port.

In the logs we are seeing error as port - security violation.

We have configured the ports in below format.

interface gi1/0/1

switchport mode access

switchport access vlan x

switchport voice vlan y

switchport port-security

switchport port-security maximum 4

switchport port-security violation restrict

switchport port-security aging 2

storm control and spanning-tree configurations

 

Initially we configured port security maximum value as 2.After users started complaining we changed the maximum value to 3. It was fine for two days and again the issues started to come. So, we again increased the value to 4 and it was fine for couple of days and the issue has started again. After i change the value to 5 switch is able to read the MAC and PC is gettingIP. Again if i change the value back to 4 for that particular port, PC connected to that port is still gettin IP.

 Kindly require some suggestions for this issue.

 

Regards,

Avinash

 

 

10 REPLIES
Hall of Fame Super Gold

What is this "vnet"? 

What is this "vnet"?  It sounds like this "vnet" is some kind of a glorified hub.

 

New Member

I referred cisco 7940 phones

I referred cisco 7940 phone as vnet

Cisco Employee

Check this for the IpPhone +

Check this for the IpPhone + port-security:

 

https://supportforums.cisco.com/discussion/11703716/port-security-mac-address-max-and-voip-umpteenth-time

As I told before it pls check what addresses are learnt on the switch by port-security. It can happen that someone plugs new PC to the same phone and that will add new MAC learnt...

Niko

Cisco Employee

Agree with Leo, Not clear

Agree with Leo,

 

Not clear what is VNET. Seems that some devices are connected to same switch port through this vnet occupying MAC in port-security. On switch you can check show port-secusirty address to see which addresses are learnt and then you may trace those.

 

Niko

New Member

I referred cisco 7940 phone

I referred cisco 7940 phone as VNET.

Please find the output below and suggest if any changes are to be made.

switch#show port-security interface gi2/0/33
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 2 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 4
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   :<removed>
Security Violation Count   : 173743

note: 1 desktop and 1 phone  is connected to evry port.

 

Cisco Employee

I was telling about the

I was telling about the different command -  show port-security address ...

New Member

Hi,I am having strange issue

Hi,

I am having strange issue related to port security....

please follow below link.

https://supportforums.cisco.com/discussion/12197626/mac-address-not-getting-sticked 

New Member

Hi,Since u have allowed max 4

Hi,

Since u have allowed max 4 mac addresses,every time new PC connects  it violates the security.

I will suggest u apply <switchport port-security mac-address sticky> under the switch port.

This will help u see current mac addresses attached to the ports using < show run int gi1/0/1>

 

Regards,

Mitesh

New Member

Hi Nitesh,There are no laptop

Hi Nitesh,

There are no laptop users and hence the possibility of connecting a new PC is relatively low.

New Member

Hi all,As of now we have set

Hi all,

As of now we have set  port-security maximum value to 5. Still we are seeing the portsecurity violation error and only one MAC can be learned through the port in which violation has been reported. Kindly advise on this.

we are also seeing following errors flooded  in show logging:

124847: May 27 11:12:49.447 IST: PSECURE: Assert failure: psecure_sb->info.num_addrs <= psecure_sb->max_addrs: ../switch/psecure/psecure_utils.c: 144: psecure_update_address_counts (Switch-6)
124848: May 27 11:12:49.447 IST: -Traceback= 42FB48z 240E8E0z 241B7E0z 241E0BCz 6E194z 6B30Cz 20E05B0z 21DA938z 27134A4z 270D6E4z (Switch-6)

 Eventhough these errors are regarded as IOS bug, whether these logs have any effect on this issue.

Kindly share your thoughts on this.

 

Regards,

Avinash 

 

318
Views
0
Helpful
10
Replies
CreatePlease login to create content