Hi,
I'm trying to use the LPS feature "port-security slot/port violation shutdown" and experience a strange behavior.
I want to configure LPS on a port so it accepts one, and only one, MAC and if he sees an another MAC its shutdowns (not filters, shutdowns) the port
My conf is :
port-security 1/20 enable
port-security 1/20 maximum 1
port-security shutdown 10 convert-to-static enable
port-security 1/20 max-filtering 1
port-security 1/20 violation shutdown
Omniswitch 6400 AOS 6.4.3.640
But with this conf, i have the following behavior :
- I Start learning window with port-security shutdown 10
- I plug my test computer N°1 on 1/20 port
- MAC is learned (i see it with "show arp", "show mac-address-table" and "show port-security")
- I let the learning window expire (Dynamic MAC is converted to static successfully)
- I unplug computer N°1
- I plug computer Computer N°2 (with a different MAC) on 1/20 port
- I would think that second MAC will provoke the shutdown of the 1/20 port but the interface is still up ("show vlan port 1/20" shows that 1/20 is in forwarding state). However Computer N°2 is not able to access the network (I ping the ip interface of the switch in the same vlan and the same IP network and have no response).
- When I unplug computer N°2 and plug back Computer N°1, Computer N°1 can perfectly access to the network. The switch seems to act like I used "port-security 1/20 violation restrict" instead of "port-security 1/20 violation shutdown".
Have someone a hint ? Did I misconfigure something ? Is it a bug ?
thanks for your answers and advices
Matt
LPS port-security violation shutdown doesn't work
Re: LPS port-security violation shutdown doesn't work
the behavior is the right one.
- one mac is learned (maximum 1)
- the second mac is filtered
- and the next (3.) mac brings the violation status (max filter 1) (in your case you need two computers at the same time at the port)
If you wish that the second mac switches the port to shutdown, you need:
> port-security 1/20 max-filtering 0
regards Silvio
- one mac is learned (maximum 1)
- the second mac is filtered
- and the next (3.) mac brings the violation status (max filter 1) (in your case you need two computers at the same time at the port)
If you wish that the second mac switches the port to shutdown, you need:
> port-security 1/20 max-filtering 0
regards Silvio
-
junquel
Re: LPS port-security violation shutdown doesn't work
I have a few questions....
Master Silvio: "port-security 1/20 max-filtering 0" If the value = 0, the show port-security and show mac-address-table don´t show the unauthorized mac-address.
However, if I set the value to 2 (p.e), the previous commands show that information.
MAC Address VLAN TYPE
-------------------+------+--------
00:16:d4:a0:c7:88 1 FILTER
78:e3:b5:6d:eb:b0 1 BRIDGE
78:e3:b5:6d:eb:b0 2 BRIDGE
00:16:d4:a0:c7:88 3 FILTER
00:1d:72:cb:4a:c6 4 BRIDGE
Now, another question. I have OS6850 and another 3Com Switch connected to port 1/11. I connected a first PC on 3Com switch.
The output command show port-security 1/11 displays that:
MAC Address VLAN TYPE
-------------------+------+--------
78:e3:b5:6d:eb:b0 1 BRIDGE
78:e3:b5:6d:eb:b0 2 BRIDGE
I have a vlan port mobility configured on all ports OS6850. Why the first mac address is duplicated on VLAN 1 and VLAN 2 (Here is OK)?????
This only happend with the first mac address.
If I want to set a maximum mac address = 3, I must to define the value on 4.
Thanks in advanced!
Peter...
Master Silvio: "port-security 1/20 max-filtering 0" If the value = 0, the show port-security and show mac-address-table don´t show the unauthorized mac-address.
However, if I set the value to 2 (p.e), the previous commands show that information.
MAC Address VLAN TYPE
-------------------+------+--------
00:16:d4:a0:c7:88 1 FILTER
78:e3:b5:6d:eb:b0 1 BRIDGE
78:e3:b5:6d:eb:b0 2 BRIDGE
00:16:d4:a0:c7:88 3 FILTER
00:1d:72:cb:4a:c6 4 BRIDGE
Now, another question. I have OS6850 and another 3Com Switch connected to port 1/11. I connected a first PC on 3Com switch.
The output command show port-security 1/11 displays that:
MAC Address VLAN TYPE
-------------------+------+--------
78:e3:b5:6d:eb:b0 1 BRIDGE
78:e3:b5:6d:eb:b0 2 BRIDGE
I have a vlan port mobility configured on all ports OS6850. Why the first mac address is duplicated on VLAN 1 and VLAN 2 (Here is OK)?????
This only happend with the first mac address.
If I want to set a maximum mac address = 3, I must to define the value on 4.
Thanks in advanced!
Peter...
Re: LPS port-security violation shutdown doesn't work
Hi,
for you second question: we have seen the same issue at a lot of omniswitches with last releases. There must be an error in the software. We have forwarded this issue to Alcatel support. But they says that they can't recreate this. So it will be helpfull if you open also a service request there for quick solving....
regards
Silvio
for you second question: we have seen the same issue at a lot of omniswitches with last releases. There must be an error in the software. We have forwarded this issue to Alcatel support. But they says that they can't recreate this. So it will be helpfull if you open also a service request there for quick solving....
regards
Silvio
