I've got a Cisco Catalyst 6500 running IOS 12.2(33)SXH4, the latest supported
by its supervisor card. We're using port-security for at least four reasons: to
allow floating devices, to avoid the delay imposed by 802.1X MAB timeout, to
avoid blocking clients who happen to have 802.1X configured badly, and to fail
open-for-last-seen-MAC-address if the PF server is down. We have a bunch of
mostly Catalyst 3750 switches working just fine.
Clients recently (at least, I think it's only recently) started losing
connectivity because the switch is seeing and reporting phantom MAC addresses.
We get flapping between the real client MAC address and the phantom, then VALID
REGISTERED devices get stuck forever in the registration VLAN with log entries
including:
Jul 25 09:09:09 pfsetvlan(4) INFO: secureMacAddrViolation trap received on
10.2.64.40 ifIndex 75 for 00:00:01:1a:00:00 (main::handleTrap)
Jul 25 09:09:09 pfsetvlan(4) INFO: Will try to check on this node's previous
switch if secured entry needs to be removed. Old Switch IP: 10.2.64.40
(main::do
_port_security)
Jul 25 09:09:10 pfsetvlan(4) INFO: authorizing 00:00:01:1a:00:00 (old entry
40:6c:8f:2c:d3:6e) at new location 10.2.64.40 ifIndex 75 (main::handleTrap)
Jul 25 09:09:13 pfsetvlan(6) INFO: secureMacAddrViolation trap received on
10.2.64.40 ifIndex 75 for 40:6c:8f:2c:d3:6e (main::handleTrap)
Jul 25 09:09:14 pfsetvlan(6) INFO: authorizing 40:6c:8f:2c:d3:6e (old entry
00:00:01:1a:00:00) at new location 10.2.64.40 ifIndex 75 (main::handleTrap)
Jul 25 09:48:28 pfsetvlan(10) INFO: secureMacAddrViolation trap received on
10.2.64.40 ifIndex 90 for 00:00:01:29:00:00 (main::handleTrap)
Jul 25 09:48:28 pfsetvlan(10) INFO: authorizing 00:00:01:29:00:00 (old entry
bc:5f:f4:73:06:54) at new location 10.2.64.40 ifIndex 90 (main::handleTrap)
Jul 25 09:48:28 pfsetvlan(10) INFO: MAC: 00:00:01:29:00:00 is of status unreg;
belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Jul 25 09:50:56 pfsetvlan(12) INFO: secureMacAddrViolation trap received on
10.2.64.40 ifIndex 90 for 00:00:01:29:00:00 (main::handleTrap)
Jul 25 09:50:56 pfsetvlan(12) INFO: Will try to check on this node's previous
switch if secured entry needs to be removed. Old Switch IP: 10.2.64.40 (main::d
o_port_security)
Jul 25 09:50:56 pfsetvlan(12) INFO: MAC: 00:00:01:29:00:00 is of status unreg;
belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Jul 25 09:50:56 pfsetvlan(12) INFO: authorizing 00:00:01:29:00:00 (old entry
bc:5f:f4:73:06:54) at new location 10.2.64.40 ifIndex 90 (main::handleTrap)
Jul 25 09:51:00 pfsetvlan(14) INFO: secureMacAddrViolation trap received on
10.2.64.40 ifIndex 90 for bc:5f:f4:73:06:54 (main::handleTrap)
Jul 25 09:51:00 pfsetvlan(14) INFO: authorizing bc:5f:f4:73:06:54 (old entry
00:00:01:29:00:00) at new location 10.2.64.40 ifIndex 90 (main::handleTrap)
Jul 25 09:51:00 pfsetvlan(14) INFO: MAC: bc:5f:f4:73:06:54, PID: ****, Status:
reg. Returned VLAN: 226 (pf::vlan::fetchVlanForNode)
Jul 25 09:52:54 redir.cgi(0) INFO: bc:5f:f4:73:06:54 being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler
)
Jul 25 09:52:54 redir.cgi(0) INFO: Updating node bc:5f:f4:73:06:54 user_agent
with useragent: 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64;
Tride
nt/6.0)' (pf::web::web_node_record_user_agent)
To sum up, ifIndex 75 has real MAC address 40:6c:8f:2c:d3:6e and phantom
00:00:01:1a:00:00. ifIndex 90 has real MAC address bc:5f:f4:73:06:54 and
phantom 00:00:01:29:00:00. Interestingly, hex 0x11a - 0x129 = decimal 15, same
as the ifIndex offset. This is also true for other ports in this state.
I am inclined to hack at the PF3 code (I'll look at PF4 soon) to ignore
port-security traps for the bogus MAC addresses 0000.****.0000, but can anyone
explain this behavior?
Here's my switch config and the port security events as logged on the switch.
interface GigabitEthernet5/27
switchport
switchport access vlan 965 (registration vlan)
switchport mode access
switchport port-security
switchport port-security violation restrict
# This version of IOS does not include port-security mac address in "show runn"
but the feature does work
no snmp trap link-status
power inline never
flowcontrol receive on
spanning-tree portfast
spanning-tree bpduguard enable
!
Jul 25 15:16:45: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.00c8.0000 on port GigabitEthernet4/9.
(c8 = 200)
Jul 25 15:44:53: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.00cf.0000 on port GigabitEthernet4/16.
(cf = 207)
Jul 25 17:58:45: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.00d3.0000 on port GigabitEthernet4/20.
(d3 = 211)
Jul 25 15:36:59: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.011a.0000 on port GigabitEthernet5/27.
(11a = 282)
Jul 25 19:58:27: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.0129.0000 on port GigabitEthernet5/42.
(129 = 297)
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
