Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Switch Port Security Puzzler

We have a Cisco 2900 series switch with a port configured for "port security action shutdown" and "max-mac-count 1". It works like it's supposed to, but we ran across something strange that we can't explain:

One of the system administrators accidentally assigned a duplicate IP address to one of our host machines. Of course, the machine immediately shut off its network services and popped up an IP conflict message box; however, the switch port it was connected to (with port security configured) also shut down. When we configured the machine for the correct IP and cleared the mac on the port, it started working as it should. I did a test and changed the IP address of the machine to one that was NOT a duplicate IP and it also worked fine. Upon changing it back to a duplicate IP, though, the switch port shut down again.

Why is this happening? I understand how port security works and I realize it's a moot point either way, since a machine will shut down its network services anyway with a duplicate IP (even if the switch port doesn't). BUT, I assumed (maybe incorrectly) that the switch port tabled only the secure mac address. How is IP being thrown into this? Any answers would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Switch Port Security Puzzler

There is no fix from Cisco side atleast, since our switches are working as expected. If you wish to pursue this, I suggest that you contact Microsoft support and ask them why a gratutious ARP with contender's IP address and Mac address is sent out. If you do contact them, please share your findings

3 REPLIES
Cisco Employee

Re: Switch Port Security Puzzler

There is a bug open for similar issue on a CAT5k which is closed

http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCea47047

The problem was found to be with Microsoft Windows (NT, win2000). It is sending a gratutious ARP with contender's IP address and Mac address.

New Member

Re: Switch Port Security Puzzler

Thanks much for the info! This must not be a wide-spread problem since I only got 1 reply to this posting. I noticed there's really no bug fix for this....

Cisco Employee

Re: Switch Port Security Puzzler

There is no fix from Cisco side atleast, since our switches are working as expected. If you wish to pursue this, I suggest that you contact Microsoft support and ask them why a gratutious ARP with contender's IP address and Mac address is sent out. If you do contact them, please share your findings

123
Views
0
Helpful
3
Replies
CreatePlease to create content