I don't know if this is possible for you to do or not, but have you
considered using static assignments for MAC<->Port mappings (e.g.
specify a mac address instead of sticky)?
I only use port security on an N7K at the moment, and we had to use
static mappings due to an outstanding bug related to due to the port
security mac-address sticky not propigating in the event of a sup
failover. After doing some reading it seems like it's a good idea to use
static assignments anyway, since I've seen a lot of reports of problems
similar to yours (generally, there seem to be a lot of bugs in the whole
L2 security suite on every platform).
Justin
Varaillon Jean Christophe wrote:
Hi,
We are using Cisco 3550, 3560 for access and 4500 for the core.
All the ports of the users are port-secure enabled (switchport port-security
mac-address sticky).
We have enough cases where their ports get in err-disable status due to a
wrong MAC address source.
That mac address source is always the same for all cases that is: the mac
address of the default gateway of the users (vlan interfaces on 4500).
This means that the users are sending packets where the MAC address *source*
is the one of their default router.
An up to date antivirus scanning on those PCs did not lead anywhere.
Has anybody seen this recently?
Thank you.
Christophe
P Please consider your environmental responsibility before printing this
e-mail
_____
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
