netoperation: 2011-04-03

When enabling port-security feature on a Cisco Switch, you can add switchport port-security mac-address sticky command under interface configuration mode. When this command is enabled, a switch will learn MAC address and put this address into running-config and CAM table. Without this command, MAC address will be put only into CAM table. Maybe this is quite obvious, consequences can be pretty interesting. I took one Switch, Cat3750, and one router to find out what will happen in different situations.

1) The same MAC address appears in different switch ports, however port-security feature is disabled on both ports.

When the port-security feature is disabled, MAC address can show up on the one switch port, then can be moved to another one and so on. Every time a new frame arrived on the switch port, CAM table is updated:

SW1#debug ip icmp

ICMP packet debugging is on

SW1#

*Mar 1 00:37:13.148: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

SW1#show mac address-table address 0007.50fc.5880

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0007.50fc.5880 DYNAMIC Gi2/0/1

SW1#

*Mar 1 00:37:40.444: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

SW1#show mac address-table address 0007.50fc.5880

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0007.50fc.5880 DYNAMIC Gi2/0/2

SW1#

*Mar 1 00:37:55.737: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1

SW1#show mac address-table address 0007.50fc.5880

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0007.50fc.5880 DYNAMIC Gi2/0/1

We see, that first MAC address 0007.50fc.5880 was learned via Gi2/0/1, after switch received ping on the second port, Gi2/0/2, CAM table was updated. Finally another ping came again on Gi2/0/1, so again, CAM table was updated. This is a normal behavior. If you think, that after learning MAC address on one port, a switch is unable to learn the same MAC address on the second port, you are wrong, if you were right, for example Spanning Tree Protocols would be useless.

2) CAM table has static entry for a particular MAC address, next this address appears on different port. Port-security is disabled.
When a switch has a static entry for a particular MAC address, and this MAC address appears on the different port, CAM table is not updated. Thus, when the switch receives frames on the second port and try to send reply, the switch will use static (wrong!) entry from CAM table.

For the rest of this post, I will use 2 ports on my switch, Gi2/0/3 and Gi2/0/4.

3) Gi2/0/3 with port-security but without sticky learning, Gi2/0/4 without port-security
When Gi2/0/3 has port-security enabled, and Gi2/0/4 has port-security disabled, running-configuration is very simple:

SW1#show running-config interface gi2/0/3

interface GigabitEthernet2/0/3

switchport mode access

switchport port-security

spanning-tree portfast

end

SW1#show running-config interface gi2/0/4
!

interface GigabitEthernet2/0/4

switchport mode access

spanning-tree portfast

end

With this settings, the same MAC address can first appear on Gi2/0/3, next on Gi2/0/4 and finally again on Gi2/0/3. Every time CAM table is updated and no violation occurred.

4) Gi2/0/3 and Gi2/0/4 have the same configuration, with port-security enabled, but without sticky learning.
Here results are the same as before. CAM table is updated, no violation occurred.

5)Gi2/0/3 has port-security enabled with sticky learning, Gi2/0/4 has port-security disabled

Here there is a new line in the running-configuration: switchport port-security mac-address sticky 0007.50fc.5880 vlan access. Interestingly, when this MAC address appears on the second port, the running-configuration is not change, however CAM is updated (remember, that Gi2/0/4 has port-security disabled). In addition to this, pings work to two ports (Gi2/0/3 and Gi2/0/4) and also no violation occurred:

SW1#show run int gi2/0/3

interface GigabitEthernet2/0/3

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0007.50fc.5880 vlan access

spanning-tree portfast

end

SW1#show run int gi2/0/4

interface GigabitEthernet2/0/4

switchport mode access

spanning-tree portfast

end

SW1#show mac address-table address 0007.50fc.5880

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0007.50fc.5880 DYNAMIC Gi2/0/4

6) Gi2/0/3 has port-security enabled and sticky learning, Gi2/0/4 has only port-security, without sticky learning:

Here, as soon as MAC address 0007.50fc.5880 appears on the second interface with port-security enabled, the second interface goes down into err-disable state:

SW1#

*Mar 1 00:36:04.436: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

*Mar 1 00:36:05.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/3, changed state to down

SW1#

*Mar 1 00:36:06.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

SW1#

*Mar 1 00:36:06.441: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/3, changed state to down

SW1#

*Mar 1 00:36:08.362: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/4, changed state to up

*Mar 1 00:36:08.983: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/4, putting Gi2/0/4 in err-disable state

*Mar 1 00:36:08.983: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0007.50fc.5880 on port GigabitEthernet2/0/4.

SW1#

*Mar 1 00:36:08.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

SW1#show mac address-table address 0007.50fc.5880

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

SW1#show port-security interface gi2/0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address:Vlan : 0007.50fc.5880:1

Security Violation Count : 0

SW1#show port-security interface gi2/0/4

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0007.50fc.5880:1

Security Violation Count : 1

So it is clear, that ping doesn't work. However when we switch the cable back into Gi2/0/3, CAM is updated again, and pings that are coming to Gi2/0/3 are accepted.

7) Both ports are configured with port-security and sticky MAC address learning

The same as the 6th case.

To sum up:

yes= the same MAC address is accepted on two different switch ports,

no= the same MAC address is not accepted on two different switch ports:

	1st interface - port-security - sticky learning	1st interface + port-security - sticky learning	1st interface + port-security + sticky learning
2nd interface - port-security - sticky learning	yes	yes	yes
2nd interface + port-security - sticky learning	yes	yes	no
2nd interface + port-security + sticky learning	yes	no	no

netoperation

Thursday 7 April 2011

Switch port-security feature under investigation