TechnicalSquid
asked on
Cisco 3750x switchport port-security problems
We have a user who is unable to communicate when "switchport port-security" is turned on on his port. The port itself doesn't go into an error disabled state when port-security is turned on but, as soon as I do, the client stops responding. As soon as I turn it back off, the client is able to communicate again. I don't have to shut, no shut the port.
Whilst port-security is turned on, all I see in WireShark is the client trying to resolve the MAC address (arp) of the default gateway and getting no response.
I'm stumped, please help.
This is what I got when turning on port-security debugging:
202157: HPSECURE HRPC: sending req(HRPC_HPSECURE_CONFIG:b locking) size(12) to(2)
202158: Got responses for 4 request from switch: 2
error code : 0, handler code : 0
202159: hpsecure_addr_list_modify action(0) hwidb(Gi1/0/1) mac(1111.1111.1111) vlan(111) type(2) age(0)
202160: HPSECURE HRPC: sending req(HRPC_HPSECURE_ADDR:non -blocking) size(28) to(2)
202161: hpsecure_hrpc_event_list_p rocess processed 28 bytes in 1 messages
Whilst port-security is turned on, all I see in WireShark is the client trying to resolve the MAC address (arp) of the default gateway and getting no response.
I'm stumped, please help.
This is what I got when turning on port-security debugging:
202157: HPSECURE HRPC: sending req(HRPC_HPSECURE_CONFIG:b
202158: Got responses for 4 request from switch: 2
error code : 0, handler code : 0
202159: hpsecure_addr_list_modify action(0) hwidb(Gi1/0/1) mac(1111.1111.1111) vlan(111) type(2) age(0)
202160: HPSECURE HRPC: sending req(HRPC_HPSECURE_ADDR:non
202161: hpsecure_hrpc_event_list_p
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you considered setting the command:
Also as brandon suggests...
Don't forget if a port enters errdisable state you need to issue a "shut" then "no shut" to bring it back into an active state.
You can see if it's in errdisable state by:
switchport port-security maximum <integer>
to something higher than default value and testing?Also as brandon suggests...
switchport port-security mac-address sticky
Don't forget if a port enters errdisable state you need to issue a "shut" then "no shut" to bring it back into an active state.
You can see if it's in errdisable state by:
show int <interface> status
You could also do reset on interface and do a default int fa0/# or if gigabit g0/#
Then reapply port security no shut and vlan settings
Then reapply port security no shut and vlan settings
check port-security status and setting at the port with.
show port-security interface GigabitEthernet1/0/1
post the result while no access possible.
show port-security interface GigabitEthernet1/0/1
post the result while no access possible.
Most likely this machine has been moved from another port on the switch. Do "show port address" and either look through the list or pipe in the mac address of the machine. See if the switch already has it attached to a different port.
ASKER
Thanks for all the responses. I will have a chance to restart the device in question over Memorial Day weekend.
---
Brandon Mac:
The port grabs the MAC fine. It keeps not working if plugged into any other port on the same switch with port security. Resetting the port to default and configuring it over doesn't work.
Chris Jones:
The port never goes into an error disabled state. It grabs the single machine MAC successfully. Upping the maximum doesn't change the result: only single MAC registers.
Dirk Kotte:
SW#show port-security interface gi1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1111.1111.1111:111
Security Violation Count : 0
Andy Bartkiewicz:
When port-security is disabled, there are no results for the MAC. When enabled, only a single port shows up with the MAC.
---
Brandon Mac:
The port grabs the MAC fine. It keeps not working if plugged into any other port on the same switch with port security. Resetting the port to default and configuring it over doesn't work.
Chris Jones:
The port never goes into an error disabled state. It grabs the single machine MAC successfully. Upping the maximum doesn't change the result: only single MAC registers.
Dirk Kotte:
SW#show port-security interface gi1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 1111.1111.1111:111
Security Violation Count : 0
Andy Bartkiewicz:
When port-security is disabled, there are no results for the MAC. When enabled, only a single port shows up with the MAC.
Is the machine a laptop or desktop, have you put another device on the same port does it do something different trying to rule out a faulty port on your switch ?
I had experienced an issue with Virtual machines running on real machines and port-security causing a violation hense my suggestion. I'm assuming that this isn't happening as it doesn't hit errdisable.
I've found these bug regarding the 3750 and HRPC:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCse88619
https://www.manualslib.com/manual/687528/Cisco-Catalyst-3750-X.html?page=61
I'm not sure if this is leading any closer to a solution, but wanted to show my findings thus far.
Are you receiving any messages to the console (such as "HPSECURE-6-ADDR_REMOVED") ?
I've found these bug regarding the 3750 and HRPC:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCse88619
https://www.manualslib.com/manual/687528/Cisco-Catalyst-3750-X.html?page=61
I'm not sure if this is leading any closer to a solution, but wanted to show my findings thus far.
Are you receiving any messages to the console (such as "HPSECURE-6-ADDR_REMOVED")
Also have you checked your settings for duplex and speed settings on the port are you running anything else on the port
Spanningtree portfast
spanning tree bpdu guard
??
Spanningtree portfast
spanning tree bpdu guard
??
ASKER
interface GigabitEthernet1/0/1
description some user
switchport access vlan 111
switchport mode access
switchport port-security
Nothing fancy going on that would explain this behavior.