Friday, March 6, 2020

Port Security Violation between 2 directly connected switches

Hi Guys,

I just came across something I have never experienced before and just wanted to know if anyone else has seen this.

Scenario. We have 2 switches, Switch A and Switch B. The 2 switches have a direct trunk connection to each other. An engineer connected a PC to switch B on a port configured with vlan 10 for example. This port is configured with port security with a maximum mac address count of 3 and sticky mac addresses

He then took that same PC and connected it to a port on switch A that is configured with vlan 10 but does not have any port security in place. The PC managed to pick up a DHCP address however the PC is unable to do anything else. I can't be pinged by anything other than from the directly connected switch

Checking for port security violations and there is nothing alerting me to this being the cause of the issue on either switch A or switch B. If sticky mac address for this PC is removed from the port of Switch B then the issue is resolved and the PC connected to switch A is pingable and can speak outbound with no issues.

Is this normal behaviour of switchport security? And if so, why is there no log messages or port status alarms to notify you of this? It not obvious that the issue is being caused by port security if you are not already aware that the PC was connected elsewhere beforehand.

I always thought that the sticky mac address command only looked for a PC being connected into another port on the same switch and did not realise that it also triggered if the PC was connected on another switch that the original switch could speak to.

Thanks in advance.



No comments:

Post a Comment