[c-nsp] Under which conditions does port-security consider MAC flap as a security violation?

Lukas Tribus luky-37 at hotmail.com
Fri Oct 31 12:10:25 EDT 2014


> Oct 30 11:33:06.458 UTC: PSECURE: Violation/duplicate detected upon
> receiving 0000.5e00.0103 on vlan 123: port_num_addrs 0 port_max_addrs
> 100 vlan_addr_ct 0: vlan_addr_max 100 total_addrs 853: max_total_addrs
> 3072
> Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Found
> duplicate mac-address 0000.5e00.0103, It is already secured on Gi4/7
> Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Security
> violation occurred, bring down the interface
> Oct 30 11:33:06.458 UTC: %PM-4-ERR_DISABLE: psecure-violation error
> detected on Fa5/2, putting Fa5/2 in err-disable state
>
> As I understand this "debug port-security" log, port-security on Gi4/7
> learned the MAC address 0000.5e00.0103 and then the same MAC address
> appeared in port Fa5/2 and port-security on Fa5/2 put the port Fa5/2
> into error-disabled state.
>
> Under which conditions does port-security consider MAC flap as a
> security violation? I wasn't able to replicate this behavior in lab..

Once a mac address is "secured" (within the thresholds of a port with
port-security enabled), it must not appear on another port-security
enabled switchport).

It doesn't necessarily have todo with "mac flapping". You should be able
to trigger this even by moving the mac from on port to another.



Lukas

 		 	   		  


More information about the cisco-nsp mailing list