Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5100
Views
0
Helpful
9
Replies

switchport port-security not working on 3750 switch stack

Go to solution
martin.nevels
Level 1
Level 1

‎08-16-2006 04:08 AM - edited ‎03-03-2019 04:32 AM

Hi,

I have a 3750 switch stack consisting of five members. I have configured port-security. But the switch does not prevent PC's from using the network on some of the stack members, although port-security is configured. The switch logs the violation, but does not throw away the packets!

Anyone a clue?

This is the typical port-security definition:

"interface FastEthernet1/0/44

switchport access vlan 100

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

spanning-tree portfast"

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paulcian_2
Level 1
Level 1
In response to chriswill

‎12-11-2006 06:46 AM

I contacted TAC regarding this. Here is the reply.

There is a bug for the situation; the fix will be an IOS upgrade to the

version 12.2(25)-SEE2.

You would be able to see the information regarding the bug on the following

link.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321

Furthermore, you will be able to download the IOS image on the following

link.

http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?

fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED

View solution in original post

0 Helpful
9 Replies 9

Go to solution
globalnettech
Level 5
Level 5

‎08-16-2006 05:18 AM

Hello,

I do not have the equipment here to test, but I think that the problem is that sticky MAC addresses are not downloaded by other member switches, only dynamic ones are. Try and remove the 'switchport port-security mac-address sticky' command from the interface, and configure a static MAC address (switchport port-security mac-address 0010.0200.0304 vlan X), and see if it makes a difference.

Regards,

GNT

0 Helpful

Go to solution
martin.nevels
Level 1
Level 1
In response to globalnettech

‎08-25-2006 05:14 AM

I have 5 x 48 = 240 ethernet ports with a moderate change rate (i.e. new machines replacing others). I cannot afford to manually configure every MAC address :(

We use the sticky statement to keep the MAC addresses on the switchport after the port changes from down to up (or else someone could unplug a machine, and attach his own: no security there).

But if it is true that sticky MAC addresses are are not downloaded to other stack members, then I consider that a serious bug in the IOS software. port-security should work over the whole stack, not just per member.

0 Helpful

Go to solution
t.fiala
Level 1
Level 1

‎09-26-2006 05:27 AM

Hi Martin,

I have awhile two 3750 in stack for testing so I could repeat your configuration.

I have IOS 12.2(25)SEB1 and it works as to port security correctly.

Tomas

0 Helpful

Go to solution
paulcian_2
Level 1
Level 1

‎12-06-2006 06:56 AM

Did you ever resolve this? I have the same issue on a 3560 switch. Violation restrict keeps on passing data for a device even though syslog messages are generated indicating a violation.

0 Helpful

Go to solution
martin.nevels
Level 1
Level 1
In response to paulcian_2

‎12-06-2006 10:06 AM

In the process of upgrading to the latest IOS and then test again. I'll post the results here.

0 Helpful

Go to solution
chriswill
Level 1
Level 1

‎12-10-2006 03:20 PM

Hi Martin,

As well as restrict I use the following to restrict traffic during violation. Not sure if this is what your after.Hope it helps.

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

0 Helpful

Go to solution
paulcian_2
Level 1
Level 1
In response to chriswill

‎12-11-2006 06:46 AM

I contacted TAC regarding this. Here is the reply.

There is a bug for the situation; the fix will be an IOS upgrade to the

version 12.2(25)-SEE2.

You would be able to see the information regarding the bug on the following

link.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321

Furthermore, you will be able to download the IOS image on the following

link.

http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?

fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED

0 Helpful

Go to solution
martin.nevels
Level 1
Level 1
In response to paulcian_2

‎12-11-2006 11:45 PM

I have upgraded my 3750's to 12.2(25)-SEE2.

Problem seems solved.

What bugs me, is that I did not find anything about this particular bug in the release notes for the 12.2(25)-SEx series. Why now mention it there?!

0 Helpful

Go to solution
mostafa.katary
Level 1
Level 1

‎01-23-2018 12:09 PM

Hello Guys,

 

I am facing a similar issue,

I have 2 stacked switches C3750-48TS-S with c3750-ipbasek9-mz.122-46.SE, I have 2 trunk ports Fa1/0/1 and Fa2/0/1 configured towards different switches(to act as primary and secondary) and I am not able to receive any dynamic mac address from router on Fa2/0/1 for any new VLAN configured while I have old VLANs working fine, any suggestions ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents