5 Replies Latest reply on Mar 8, 2013 6:01 AM by lanceallison21

    Port-Security - Mac Limit 1

    lanceallison21 New Member

      Hello,

       

      Trying to limit the number of mac-addresses a single swithport can have to only 1. I'd like the NV to "learn and lock" the mac address until it's removed by the administrator.

       

      This was configured almost 2 weeks ago and today we had a outage for all users not being able to join the network;  we removed the port-security and sticky mac config lines and users started to show up in the arp table under their switchports. Been reading "Configuring Port Access Control in AOS"  I'm i missing something here?

       

      interface switchport 0/1

        description 601

        spanning-tree edgeport

        no shutdown

        switchport access vlan xxx

        switchport port-security

        switchport port-security mac-address sticky

        switchport port-security mac-address sticky 20:c9:d0:12:5e:b5 vlan xxx

        switchport protected

      !

      interface switchport 0/2

        description 602

        spanning-tree edgeport

        shutdown

        switchport access vlan xxx

        switchport port-security

        switchport port-security mac-address sticky

        switchport protected

        • Re: Port-Security - Mac Limit 1
          Employee

          lanceallison21 - Thanks for posting your question on the forum!

           

          Your configuration appears to be correct from what I've see. Were you able to get any debug from when the outage was occurring? Specifically, it would have been good to see the output to debug port-security. Did you happen to notice if any violations had occurred at the time? If there were any at the time, you could issue the show port-security interface <slot/port> address command to view which MAC addresses were being seen as secure for that particular port. Could you respond to this post with the firmware your device is running as well?

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor

            • Re: Port-Security - Mac Limit 1
              lanceallison21 New Member

              No debugs were ran at the time, we removed the config lines from all switches but one, if if happens again i will run a show port-security interface <slot/port> address and debug port-security

              ADTRAN, Inc. OS version 18.01.04.00

                Mainline Version: M04

                Checksum: 39AF96BF

                Built on: Mon Oct 10 16:11:16 2011

                Upgrade key: deebb432cdddfea8f91b0f856adc210c

              Boot ROM version 17.03.02.SB

                Checksum: D951

                Built on: Thu Oct 29 07:14:38 2009

              Copyright (c) 1999-2011, ADTRAN, Inc.

              Platform: NetVanta 1234, part number 1700594G1

              Serial number LBADTN1032AF547

              Flash: 8388608 bytes  DRAM: 67108863 bytes

               

               

              E300-6th Floor uptime is 26 weeks, 4 days, 5 hours, 36 minutes, 29 seconds

               

               

              System returned to ROM by Other

              Current system image file is "NV123XA-18-01-04-00.biz"

              Boot system image file is "NV123XA-18-01-04-00.biz"

              Primary system configuration file is "startup-config"

                • Re: Port-Security - Mac Limit 1
                  Employee

                  lanceallison21 - Based on your firmware version and the symptoms you experienced, it appears you may have ran into one of the following port-security issues:

                   

                  • If the command no switchport port-security mac-address sticky was issued on an interface, the interface would no longer allow communication until the command no port-security was issued on that interface.

                  • Clearing a sticky MAC address from an interface with the no switchport port-security mac-address sticky command erased sticky MAC addresses from all interfaces.

                   

                  I would suggest calling Adtran Technical Support and having them send you the correct firmware for your product which contains the fix. Feel free to reference this thread when talking to the Adtran Support Engineer regarding this. You can contact Technical Support in the following ways:

                   

                  - Open a webticket by clicking on this link: Create a Service Request

                  - Open a ticket by emailing support@adtran.com

                  - Open a ticket by phone by calling 1-888-423-8726

                   

                  Please do not hesitate to let us know if you have any further questions.

                   

                  Thanks,

                  Noor

                    • Re: Port-Security - Mac Limit 1
                      lanceallison21 New Member

                      I'm in the process of updating all x7 NV1234's at a location with the new firmware ADTRAN, Inc. OS version 18.01.05.00   (*** 1st Gen FW not on adtran.com yet)

                       

                      In reading the docs more closely "Configuring Port Security in AOS" it talked about the 3 actions a violation would trigger (protect, restrict, and shutdown) the behavior that I think was happening was similar to "violation protect" because the switch would stop learning new mac address on the "affected" switch but it would also propagate to other switches and prevent traffic on ALL ports.

                       

                      I'm hoping that the new FW package will behave more like port-security violation "shutdown". Bad thing about the 1st gen, you can't specify the action you wish the switch should take. (no violation rules)

                       

                      (config-swx 0/1)#switchport port-security ?

                      <cr>

                      aging                  - Configure secure MAC address aging parameters

                      expire                 - Configure port expiration parameters

                      mac-address            - Add a secure MAC address associated with this port

                      maximum                - Configure the maximum number of secure addresses

                        • Re: Port-Security - Mac Limit 1
                          lanceallison21 New Member

                          UPDATE:

                           

                          Yesterday we had a port-security violation that was isolated and contained to that switchport. Customer removed old router and installed new router. Before OS version 18.01.05.00, this event would have caused the entire switch and other switches to stop learning mac addresses. We use a Meraki MX60 and previous would see 60+ devices all sharing the last time seen (i.e. 53 minutes ago).

                          Today, after no switchport port-security and no stick mac, and inserting those lines back in the new mac become sticky and the client came up. And checking the Meraki all 60+ devices

                           

                          The only event logs related are below, all other logs were my logins.

                          2013.03.06 13:13:43 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 13:13:44 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 13:14:25 ETHERNET_INTERFACE.swx 0/4 link up

                          2013.03.06 13:14:26 INTERFACE_STATUS.swx 0/4 changed state to up

                          2013.03.06 18:47:00 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 18:47:01 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 18:47:09 ETHERNET_INTERFACE.swx 0/4 link up

                          2013.03.06 18:47:10 INTERFACE_STATUS.swx 0/4 changed state to up

                          2013.03.06 19:05:15 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 19:05:16 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 19:05:30 ETHERNET_INTERFACE.swx 0/4 link up

                          2013.03.06 19:05:31 INTERFACE_STATUS.swx 0/4 changed state to up

                          2013.03.06 19:09:51 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 19:09:51 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 19:10:10 ETHERNET_INTERFACE.swx 0/4 link up

                          2013.03.06 19:10:11 INTERFACE_STATUS.swx 0/4 changed state to up

                          2013.03.06 19:40:53 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 19:40:53 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 19:41:11 ETHERNET_INTERFACE.swx 0/4 link up

                          2013.03.06 19:41:12 INTERFACE_STATUS.swx 0/4 changed state to up

                          2013.03.06 20:14:40 ETHERNET_INTERFACE.swx 0/4 link down

                          2013.03.06 20:14:41 INTERFACE_STATUS.swx 0/4 changed state to down

                          2013.03.06 20:14:45 ETHERNET_INTERFACE.swx 0/4 link up