Hi, I have a following very simple setup: http://s30.postimg.org/d0t320dsh/port_sec.png
As seen above, PC with two NIC's is connected to Cisco Catalyst WS-C4506 switch and both NIC's on PC have the same MAC address 00:00:00:00:00:11. Switch port configuration is identical: interface GigabitEthernet6/41 switchport access vlan 881 switchport mode access switchport port-security maximum 100 switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity end interface GigabitEthernet6/42 switchport access vlan 881 switchport mode access switchport port-security maximum 100 switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity end As seen above, port-security on switch ports is enabled. If I send an unicast frame from PC port eth0 to switch port Gi6/42, then the switch will learn the MAC address in its MAC address table and "Total MAC Addresses" counter in "sh port-security interface Gi6/42" output will increase from 0 to 1. Now when I send unicast frame from PC port eth1 to switch port Gi6/41, then the switch will not learn the MAC address and "Total MAC Addresses" counter in "sh port-security interface Gi6/41" output will stay 0. In addition, "Last Source Address:Vlan" field stays "0000.0000.0000:0". IMHO this is all expected behavior and this is how the port-security with configuration above should work. However, on a live switch with the very same configuration and HW/SF(WS-X4515 SUP with cat4500-ipbasek9-mz.122-54.SG.bin) as the lab one, I saw a behavior where duplicate MAC address on two ports with the same port-security configuration as above, caused a port-security violation: Oct 30 11:33:06.458 UTC: PSECURE: Violation/duplicate detected upon receiving 0000.5e00.0103 on vlan 123: port_num_addrs 0 port_max_addrs 100 vlan_addr_ct 0: vlan_addr_max 100 total_addrs 853: max_total_addrs 3072 Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Found duplicate mac-address 0000.5e00.0103, It is already secured on Gi4/7 Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Security violation occurred, bring down the interface Oct 30 11:33:06.458 UTC: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa5/2, putting Fa5/2 in err-disable state As I understand this "debug port-security" log, port-security on Gi4/7 learned the MAC address 0000.5e00.0103 and then the same MAC address appeared in port Fa5/2 and port-security on Fa5/2 put the port Fa5/2 into error-disabled state. Under which conditions does port-security consider MAC flap as a security violation? I wasn't able to replicate this behavior in lab.. thanks, Martin _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
