[c-nsp] Under which conditions does port-security consider MAC flap as a security violation?

Martin T m4rtntns at gmail.com
Fri Oct 31 10:27:24 EDT 2014


Hi,

I have a following very simple setup:
http://s30.postimg.org/d0t320dsh/port_sec.png

As seen above, PC with two NIC's is connected to Cisco Catalyst
WS-C4506 switch and both NIC's on PC have the same MAC address
00:00:00:00:00:11. Switch port configuration is identical:

interface GigabitEthernet6/41
 switchport access vlan 881
 switchport mode access
 switchport port-security maximum 100
 switchport port-security
 switchport port-security aging time 10
 switchport port-security aging type inactivity
end

interface GigabitEthernet6/42
 switchport access vlan 881
 switchport mode access
 switchport port-security maximum 100
 switchport port-security
 switchport port-security aging time 10
 switchport port-security aging type inactivity
end


As seen above, port-security on switch ports is enabled. If I send an
unicast frame from PC port eth0 to switch port Gi6/42, then the switch
will learn the MAC address in its MAC address table and "Total MAC
Addresses" counter in "sh port-security interface Gi6/42" output will
increase from 0 to 1. Now when I send unicast frame from PC port eth1
to switch port Gi6/41, then the switch will not learn the MAC address
and "Total MAC Addresses" counter in "sh port-security interface
Gi6/41" output will stay 0. In addition, "Last Source Address:Vlan"
field stays "0000.0000.0000:0". IMHO this is all expected behavior and
this is how the port-security with configuration above should work.
However, on a live switch with the very same configuration and
HW/SF(WS-X4515 SUP with cat4500-ipbasek9-mz.122-54.SG.bin) as the lab
one, I saw a behavior where duplicate MAC address on two ports with
the same port-security configuration as above, caused a port-security
violation:

Oct 30 11:33:06.458 UTC: PSECURE: Violation/duplicate detected upon
receiving 0000.5e00.0103 on vlan 123: port_num_addrs 0 port_max_addrs
100 vlan_addr_ct 0: vlan_addr_max 100 total_addrs 853: max_total_addrs
3072
Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Found
duplicate mac-address 0000.5e00.0103, It is already secured on Gi4/7
Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Security
violation occurred, bring down the interface
Oct 30 11:33:06.458 UTC: %PM-4-ERR_DISABLE: psecure-violation error
detected on Fa5/2, putting Fa5/2 in err-disable state

As I understand this "debug port-security" log, port-security on Gi4/7
learned the MAC address 0000.5e00.0103 and then the same MAC address
appeared in port Fa5/2 and port-security on Fa5/2 put the port Fa5/2
into error-disabled state.

Under which conditions does port-security consider MAC flap as a
security violation? I wasn't able to replicate this behavior in lab..



thanks,
Martin


More information about the cisco-nsp mailing list