We have recently installed c2960-x stack switches . We have stacked 6 switches . It is running with c2960-univ-150-2-EX5.bin IOS. We are facing portsecrurity issues.
The setup is switch --> Cisco 7940----> PC.
The issue is that PC's are not able to get IP when connected from vnet but they are able to get IP when connected directly to I/O port.
In the logs we are seeing error as port - security violation.
We have configured the ports in below format.
switchport mode access
switchport access vlan x
switchport voice vlan y
switchport port-security maximum 4
switchport port-security violation restrict
switchport port-security aging 2
storm control and spanning-tree configurations
Initially we configured port security maximum value as 2.After users started complaining we changed the maximum value to 3. It was fine for two days and again the issues started to come. So, we again increased the value to 4 and it was fine for couple of days and the issue has started again. After i change the value to 5 switch is able to read the MAC and PC is gettingIP. Again if i change the value back to 4 for that particular port, PC connected to that port is still gettin IP.
Kindly require some suggestions for this issue.
Check this for the IpPhone + port-security:
As I told before it pls check what addresses are learnt on the switch by port-security. It can happen that someone plugs new PC to the same phone and that will add new MAC learnt...
Agree with Leo,
Not clear what is VNET. Seems that some devices are connected to same switch port through this vnet occupying MAC in port-security. On switch you can check show port-secusirty address to see which addresses are learnt and then you may trace those.
I referred cisco 7940 phone as VNET.
Please find the output below and suggest if any changes are to be made.
switch#show port-security interface gi2/0/33
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan :<removed>
Security Violation Count : 173743
note: 1 desktop and 1 phone is connected to evry port.
I am having strange issue related to port security....
please follow below link.
Since u have allowed max 4 mac addresses,every time new PC connects it violates the security.
I will suggest u apply <switchport port-security mac-address sticky> under the switch port.
This will help u see current mac addresses attached to the ports using < show run int gi1/0/1>
As of now we have set port-security maximum value to 5. Still we are seeing the portsecurity violation error and only one MAC can be learned through the port in which violation has been reported. Kindly advise on this.
we are also seeing following errors flooded in show logging:
124847: May 27 11:12:49.447 IST: PSECURE: Assert failure: psecure_sb->info.num_addrs <= psecure_sb->max_addrs: ../switch/psecure/psecure_utils.c: 144: psecure_update_address_counts (Switch-6)
124848: May 27 11:12:49.447 IST: -Traceback= 42FB48z 240E8E0z 241B7E0z 241E0BCz 6E194z 6B30Cz 20E05B0z 21DA938z 27134A4z 270D6E4z (Switch-6)
Eventhough these errors are regarded as IOS bug, whether these logs have any effect on this issue.
Kindly share your thoughts on this.