Hello,
Trying to limit the number of mac-addresses a single swithport can have to only 1. I'd like the NV to "learn and lock" the mac address until it's removed by the administrator.
This was configured almost 2 weeks ago and today we had a outage for all users not being able to join the network; we removed the port-security and sticky mac config lines and users started to show up in the arp table under their switchports. Been reading "Configuring Port Access Control in AOS" I'm i missing something here?
interface switchport 0/1
description 601
spanning-tree edgeport
no shutdown
switchport access vlan xxx
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 20:c9:d0:12:5e:b5 vlan xxx
switchport protected
!
interface switchport 0/2
description 602
spanning-tree edgeport
shutdown
switchport access vlan xxx
switchport port-security
switchport port-security mac-address sticky
switchport protected
- Thanks for posting your question on the forum!
Your configuration appears to be correct from what I've see. Were you able to get any debug from when the outage was occurring? Specifically, it would have been good to see the output to debug port-security. Did you happen to notice if any violations had occurred at the time? If there were any at the time, you could issue the show port-security interface <slot/port> address command to view which MAC addresses were being seen as secure for that particular port. Could you respond to this post with the firmware your device is running as well?
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
No debugs were ran at the time, we removed the config lines from all switches but one, if if happens again i will run a show port-security interface <slot/port> address and debug port-security
ADTRAN, Inc. OS version 18.01.04.00
Mainline Version: M04
Checksum: 39AF96BF
Built on: Mon Oct 10 16:11:16 2011
Upgrade key: deebb432cdddfea8f91b0f856adc210c
Boot ROM version 17.03.02.SB
Checksum: D951
Built on: Thu Oct 29 07:14:38 2009
Copyright (c) 1999-2011, ADTRAN, Inc.
Platform: NetVanta 1234, part number 1700594G1
Serial number LBADTN1032AF547
Flash: 8388608 bytes DRAM: 67108863 bytes
E300-6th Floor uptime is 26 weeks, 4 days, 5 hours, 36 minutes, 29 seconds
System returned to ROM by Other
Current system image file is "NV123XA-18-01-04-00.biz"
Boot system image file is "NV123XA-18-01-04-00.biz"
Primary system configuration file is "startup-config"
- Based on your firmware version and the symptoms you experienced, it appears you may have ran into one of the following port-security issues:
• If the command no switchport port-security mac-address sticky was issued on an interface, the interface would no longer allow communication until the command no port-security was issued on that interface.
• Clearing a sticky MAC address from an interface with the no switchport port-security mac-address sticky command erased sticky MAC addresses from all interfaces.
I would suggest calling Adtran Technical Support and having them send you the correct firmware for your product which contains the fix. Feel free to reference this thread when talking to the Adtran Support Engineer regarding this. You can contact Technical Support in the following ways:
- Open a webticket by clicking on this link: Create a Service Request
- Open a ticket by emailing support@adtran.com
- Open a ticket by phone by calling 1-888-423-8726
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
I'm in the process of updating all x7 NV1234's at a location with the new firmware ADTRAN, Inc. OS version 18.01.05.00 (*** 1st Gen FW not on adtran.com yet)
In reading the docs more closely "Configuring Port Security in AOS" it talked about the 3 actions a violation would trigger (protect, restrict, and shutdown) the behavior that I think was happening was similar to "violation protect" because the switch would stop learning new mac address on the "affected" switch but it would also propagate to other switches and prevent traffic on ALL ports.
I'm hoping that the new FW package will behave more like port-security violation "shutdown". Bad thing about the 1st gen, you can't specify the action you wish the switch should take. (no violation rules)
(config-swx 0/1)#switchport port-security ?
<cr>
aging - Configure secure MAC address aging parameters
expire - Configure port expiration parameters
mac-address - Add a secure MAC address associated with this port
maximum - Configure the maximum number of secure addresses
UPDATE:
Yesterday we had a port-security violation that was isolated and contained to that switchport. Customer removed old router and installed new router. Before OS version 18.01.05.00, this event would have caused the entire switch and other switches to stop learning mac addresses. We use a Meraki MX60 and previous would see 60+ devices all sharing the last time seen (i.e. 53 minutes ago).
Today, after no switchport port-security and no stick mac, and inserting those lines back in the new mac become sticky and the client came up. And checking the Meraki all 60+ devices
The only event logs related are below, all other logs were my logins.
2013.03.06 13:13:43 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 13:13:44 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 13:14:25 ETHERNET_INTERFACE.swx 0/4 link up
2013.03.06 13:14:26 INTERFACE_STATUS.swx 0/4 changed state to up
2013.03.06 18:47:00 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 18:47:01 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 18:47:09 ETHERNET_INTERFACE.swx 0/4 link up
2013.03.06 18:47:10 INTERFACE_STATUS.swx 0/4 changed state to up
2013.03.06 19:05:15 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 19:05:16 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 19:05:30 ETHERNET_INTERFACE.swx 0/4 link up
2013.03.06 19:05:31 INTERFACE_STATUS.swx 0/4 changed state to up
2013.03.06 19:09:51 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 19:09:51 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 19:10:10 ETHERNET_INTERFACE.swx 0/4 link up
2013.03.06 19:10:11 INTERFACE_STATUS.swx 0/4 changed state to up
2013.03.06 19:40:53 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 19:40:53 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 19:41:11 ETHERNET_INTERFACE.swx 0/4 link up
2013.03.06 19:41:12 INTERFACE_STATUS.swx 0/4 changed state to up
2013.03.06 20:14:40 ETHERNET_INTERFACE.swx 0/4 link down
2013.03.06 20:14:41 INTERFACE_STATUS.swx 0/4 changed state to down
2013.03.06 20:14:45 ETHERNET_INTERFACE.swx 0/4 link up