08-16-2006 04:08 AM - edited 03-03-2019 04:32 AM
Hi,
I have a 3750 switch stack consisting of five members. I have configured port-security. But the switch does not prevent PC's from using the network on some of the stack members, although port-security is configured. The switch logs the violation, but does not throw away the packets!
Anyone a clue?
This is the typical port-security definition:
"interface FastEthernet1/0/44
switchport access vlan 100
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree portfast"
Solved! Go to Solution.
12-11-2006 06:46 AM
I contacted TAC regarding this. Here is the reply.
There is a bug for the situation; the fix will be an IOS upgrade to the
version 12.2(25)-SEE2.
You would be able to see the information regarding the bug on the following
link.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321
Furthermore, you will be able to download the IOS image on the following
link.
http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?
fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED
08-16-2006 05:18 AM
Hello,
I do not have the equipment here to test, but I think that the problem is that sticky MAC addresses are not downloaded by other member switches, only dynamic ones are. Try and remove the 'switchport port-security mac-address sticky' command from the interface, and configure a static MAC address (switchport port-security mac-address 0010.0200.0304 vlan X), and see if it makes a difference.
Regards,
GNT
08-25-2006 05:14 AM
I have 5 x 48 = 240 ethernet ports with a moderate change rate (i.e. new machines replacing others). I cannot afford to manually configure every MAC address :(
We use the sticky statement to keep the MAC addresses on the switchport after the port changes from down to up (or else someone could unplug a machine, and attach his own: no security there).
But if it is true that sticky MAC addresses are are not downloaded to other stack members, then I consider that a serious bug in the IOS software. port-security should work over the whole stack, not just per member.
09-26-2006 05:27 AM
Hi Martin,
I have awhile two 3750 in stack for testing so I could repeat your configuration.
I have IOS 12.2(25)SEB1 and it works as to port security correctly.
Tomas
12-06-2006 06:56 AM
Did you ever resolve this? I have the same issue on a 3560 switch. Violation restrict keeps on passing data for a device even though syslog messages are generated indicating a violation.
12-06-2006 10:06 AM
In the process of upgrading to the latest IOS and then test again. I'll post the results here.
12-10-2006 03:20 PM
Hi Martin,
As well as restrict I use the following to restrict traffic during violation. Not sure if this is what your after.Hope it helps.
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
12-11-2006 06:46 AM
I contacted TAC regarding this. Here is the reply.
There is a bug for the situation; the fix will be an IOS upgrade to the
version 12.2(25)-SEE2.
You would be able to see the information regarding the bug on the following
link.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321
Furthermore, you will be able to download the IOS image on the following
link.
http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?
fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED
12-11-2006 11:45 PM
I have upgraded my 3750's to 12.2(25)-SEE2.
Problem seems solved.
What bugs me, is that I did not find anything about this particular bug in the release notes for the 12.2(25)-SEx series. Why now mention it there?!
01-23-2018 12:09 PM
Hello Guys,
I am facing a similar issue,
I have 2 stacked switches C3750-48TS-S with c3750-ipbasek9-mz.122-46.SE, I have 2 trunk ports Fa1/0/1 and Fa2/0/1 configured towards different switches(to act as primary and secondary) and I am not able to receive any dynamic mac address from router on Fa2/0/1 for any new VLAN configured while I have old VLANs working fine, any suggestions ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: