Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

switchport port-security not working on 3750 switch stack

Hi,

I have a 3750 switch stack consisting of five members. I have configured port-security. But the switch does not prevent PC's from using the network on some of the stack members, although port-security is configured. The switch logs the violation, but does not throw away the packets!

Anyone a clue?

This is the typical port-security definition:

"interface FastEthernet1/0/44

switchport access vlan 100

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

spanning-tree portfast"

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: switchport port-security not working on 3750 switch stack

I contacted TAC regarding this. Here is the reply.

There is a bug for the situation; the fix will be an IOS upgrade to the

version 12.2(25)-SEE2.

You would be able to see the information regarding the bug on the following

link.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321

Furthermore, you will be able to download the IOS image on the following

link.

http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?

fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED

8 REPLIES

Re: switchport port-security not working on 3750 switch stack

Hello,

I do not have the equipment here to test, but I think that the problem is that sticky MAC addresses are not downloaded by other member switches, only dynamic ones are. Try and remove the 'switchport port-security mac-address sticky' command from the interface, and configure a static MAC address (switchport port-security mac-address 0010.0200.0304 vlan X), and see if it makes a difference.

Regards,

GNT

New Member

Re: switchport port-security not working on 3750 switch stack

I have 5 x 48 = 240 ethernet ports with a moderate change rate (i.e. new machines replacing others). I cannot afford to manually configure every MAC address :(

We use the sticky statement to keep the MAC addresses on the switchport after the port changes from down to up (or else someone could unplug a machine, and attach his own: no security there).

But if it is true that sticky MAC addresses are are not downloaded to other stack members, then I consider that a serious bug in the IOS software. port-security should work over the whole stack, not just per member.

New Member

Re: switchport port-security not working on 3750 switch stack

Hi Martin,

I have awhile two 3750 in stack for testing so I could repeat your configuration.

I have IOS 12.2(25)SEB1 and it works as to port security correctly.

Tomas

New Member

Re: switchport port-security not working on 3750 switch stack

Did you ever resolve this? I have the same issue on a 3560 switch. Violation restrict keeps on passing data for a device even though syslog messages are generated indicating a violation.

New Member

Re: switchport port-security not working on 3750 switch stack

In the process of upgrading to the latest IOS and then test again. I'll post the results here.

New Member

Re: switchport port-security not working on 3750 switch stack

Hi Martin,

As well as restrict I use the following to restrict traffic during violation. Not sure if this is what your after.Hope it helps.

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

New Member

Re: switchport port-security not working on 3750 switch stack

I contacted TAC regarding this. Here is the reply.

There is a bug for the situation; the fix will be an IOS upgrade to the

version 12.2(25)-SEE2.

You would be able to see the information regarding the bug on the following

link.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsc08321

Furthermore, you will be able to download the IOS image on the following

link.

http://tools.cisco.com/support/downloads/go/Images.x?relVer=12.2.25-SEE2&md?

fid=278546113&sftType=IOS&optPlat=null&nodecount=4&edesignator=ED

New Member

Re: switchport port-security not working on 3750 switch stack

I have upgraded my 3750's to 12.2(25)-SEE2.

Problem seems solved.

What bugs me, is that I did not find anything about this particular bug in the release notes for the 12.2(25)-SEx series. Why now mention it there?!

550
Views
0
Helpful
8
Replies
CreatePlease to create content