Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lanceallison21
New Contributor II
‎02-25-2013 03:48 PM

Port-Security - Mac Limit 1

Hello,

Trying to limit the number of mac-addresses a single swithport can have to only 1. I'd like the NV to "learn and lock" the mac address until it's removed by the administrator.

This was configured almost 2 weeks ago and today we had a outage for all users not being able to join the network;  we removed the port-security and sticky mac config lines and users started to show up in the arp table under their switchports. Been reading "Configuring Port Access Control in AOS"  I'm i missing something here?

interface switchport 0/1

  description 601

  spanning-tree edgeport

  no shutdown

  switchport access vlan xxx

  switchport port-security

  switchport port-security mac-address sticky

  switchport port-security mac-address sticky 20:c9:d0:12:5e:b5 vlan xxx

  switchport protected

!

interface switchport 0/2

  description 602

  spanning-tree edgeport

  shutdown

  switchport access vlan xxx

  switchport port-security

  switchport port-security mac-address sticky

  switchport protected

Tags (1)
0 Kudos
Reply
5 Replies
Anonymous
Not applicable
‎02-26-2013 02:33 PM

Re: Port-Security - Mac Limit 1

- Thanks for posting your question on the forum!

Your configuration appears to be correct from what I've see. Were you able to get any debug from when the outage was occurring? Specifically, it would have been good to see the output to debug port-security. Did you happen to notice if any violations had occurred at the time? If there were any at the time, you could issue the show port-security interface <slot/port> address command to view which MAC addresses were being seen as secure for that particular port. Could you respond to this post with the firmware your device is running as well?

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
lanceallison21
New Contributor II
‎02-26-2013 02:44 PM

Re: Port-Security - Mac Limit 1

No debugs were ran at the time, we removed the config lines from all switches but one, if if happens again i will run a show port-security interface <slot/port> address and debug port-security

ADTRAN, Inc. OS version 18.01.04.00

  Mainline Version: M04

  Checksum: 39AF96BF

  Built on: Mon Oct 10 16:11:16 2011

  Upgrade key: deebb432cdddfea8f91b0f856adc210c

Boot ROM version 17.03.02.SB

  Checksum: D951

  Built on: Thu Oct 29 07:14:38 2009

Copyright (c) 1999-2011, ADTRAN, Inc.

Platform: NetVanta 1234, part number 1700594G1

Serial number LBADTN1032AF547

Flash: 8388608 bytes  DRAM: 67108863 bytes

E300-6th Floor uptime is 26 weeks, 4 days, 5 hours, 36 minutes, 29 seconds

System returned to ROM by Other

Current system image file is "NV123XA-18-01-04-00.biz"

Boot system image file is "NV123XA-18-01-04-00.biz"

Primary system configuration file is "startup-config"

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎02-26-2013 03:48 PM

Re: Port-Security - Mac Limit 1

- Based on your firmware version and the symptoms you experienced, it appears you may have ran into one of the following port-security issues:

• If the command no switchport port-security mac-address sticky was issued on an interface, the interface would no longer allow communication until the command no port-security was issued on that interface.

• Clearing a sticky MAC address from an interface with the no switchport port-security mac-address sticky command erased sticky MAC addresses from all interfaces.

I would suggest calling Adtran Technical Support and having them send you the correct firmware for your product which contains the fix. Feel free to reference this thread when talking to the Adtran Support Engineer regarding this. You can contact Technical Support in the following ways:

- Open a webticket by clicking on this link: Create a Service Request

- Open a ticket by emailing support@adtran.com

- Open a ticket by phone by calling 1-888-423-8726

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
lanceallison21
New Contributor II
‎03-06-2013 09:03 AM

Re: Port-Security - Mac Limit 1

I'm in the process of updating all x7 NV1234's at a location with the new firmware ADTRAN, Inc. OS version 18.01.05.00   (*** 1st Gen FW not on adtran.com yet)

In reading the docs more closely "Configuring Port Security in AOS" it talked about the 3 actions a violation would trigger (protect, restrict, and shutdown) the behavior that I think was happening was similar to "violation protect" because the switch would stop learning new mac address on the "affected" switch but it would also propagate to other switches and prevent traffic on ALL ports.

I'm hoping that the new FW package will behave more like port-security violation "shutdown". Bad thing about the 1st gen, you can't specify the action you wish the switch should take. (no violation rules)

(config-swx 0/1)#switchport port-security ?

<cr>

aging                  - Configure secure MAC address aging parameters

expire                 - Configure port expiration parameters

mac-address            - Add a secure MAC address associated with this port

maximum                - Configure the maximum number of secure addresses

0 Kudos
Accept as Solution Reply
lanceallison21
New Contributor II
‎03-07-2013 12:10 PM

Re: Port-Security - Mac Limit 1

UPDATE:

Yesterday we had a port-security violation that was isolated and contained to that switchport. Customer removed old router and installed new router. Before OS version 18.01.05.00, this event would have caused the entire switch and other switches to stop learning mac addresses. We use a Meraki MX60 and previous would see 60+ devices all sharing the last time seen (i.e. 53 minutes ago).

Today, after no switchport port-security and no stick mac, and inserting those lines back in the new mac become sticky and the client came up. And checking the Meraki all 60+ devices

The only event logs related are below, all other logs were my logins.

2013.03.06 13:13:43 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 13:13:44 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 13:14:25 ETHERNET_INTERFACE.swx 0/4 link up

2013.03.06 13:14:26 INTERFACE_STATUS.swx 0/4 changed state to up

2013.03.06 18:47:00 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 18:47:01 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 18:47:09 ETHERNET_INTERFACE.swx 0/4 link up

2013.03.06 18:47:10 INTERFACE_STATUS.swx 0/4 changed state to up

2013.03.06 19:05:15 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 19:05:16 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 19:05:30 ETHERNET_INTERFACE.swx 0/4 link up

2013.03.06 19:05:31 INTERFACE_STATUS.swx 0/4 changed state to up

2013.03.06 19:09:51 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 19:09:51 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 19:10:10 ETHERNET_INTERFACE.swx 0/4 link up

2013.03.06 19:10:11 INTERFACE_STATUS.swx 0/4 changed state to up

2013.03.06 19:40:53 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 19:40:53 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 19:41:11 ETHERNET_INTERFACE.swx 0/4 link up

2013.03.06 19:41:12 INTERFACE_STATUS.swx 0/4 changed state to up

2013.03.06 20:14:40 ETHERNET_INTERFACE.swx 0/4 link down

2013.03.06 20:14:41 INTERFACE_STATUS.swx 0/4 changed state to down

2013.03.06 20:14:45 ETHERNET_INTERFACE.swx 0/4 link up

0 Kudos
Accept as Solution Reply