C3560 MAC Address Aging Timer Inop 1

[green6]

Has anyone had this problem on their C3560 switch:
The mac address associated with an interface fails to age out after the computer is disconnected from the interface.

The mac-address aging timer is at the default of 300 seconds.

I'm running IOS c3560-advipservicesk9-mz.122-37.SE1.bin on a WS-C3560G-48PS-S.

A typical interface configuration is:
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
switchport voice vlan 20
switchport port-security maximum 3
switchport port-security
switchport port-security violation protect
mls qos trust device cisco-phone
spanning-tree portfast

Other than that it's a fairly typical config, ip routing is turned on for inter-vlan connectivity, it's defaulted to spanning-tree mode pvst, and I've set this particular switch as the root for the VTP Domain, spanning-tree vlan 1-1024 priority 24576.

Quite baffling, I can't even get the mac address to clear from the interface with the clear mac-address interface command.

So far the only way to remove the mac address from the interface is to shut/no shut the interface.

I've searched the Cisco website for bug reports but have
not come across any pertinent documentation.

Any insight would be greatly appreciated.

 

[brianinms]

Its not baffling really as you have port-security enable thus its the default nature of that port.

 

[green6]

Thanks Brian,

I'm not aware that the command switchport port-security, alone, would keep the mac-address from aging out after the global aging timer expires.

I'm under the impression, based on Cisco' documentation, that to keep the mac-address associated with an interface you would need to use the switchport port-security mac-address sticky command (or, alternatively, manually hard-code the mac-address on the interface).

I'll try a test in the lab, see if I come up with the same results.

Thanks again for your input.

Greg

 

[green6]

Brian,

You were absolutely right, don't I feel like a first year CCNA. : )

Sure enough the switchport port-security command caused the mac-address to remain associated with the interface regardless of the aging timer.
And, since the PC was connected through a VoIP phone, the interface stayed up/up after I removed the PC.

Lesson learned, thanks for pointing it out for me.

Greg

 

[selcuks2001]

Well I couldn't get your point. I am facing the same problem by two of our customers and couldn't solve it yet. Can you please explain in more detail what causes this problem?
Regards
s^3

 

[green6]

Hi selcuks2001,

Wow, that issue was quite awhile ago, let me see if I can remember what I found out.

As brianinms pointed out to me, it is the default nature of the command.
What I finally figured out is that the default behavior of the "switchport port-security" command IS to lock-in a mac-address-to-switchport association in the mac-address table. So it's not so much a problem as it's what the command is designed to do.

I couldn't find clear information on the "switchport port-security" command on the Cisco website other than that the default is to lock-in a single mac-address in the mac-address tables unless you configure the "switchport port-security max" command which will allow the switch to learn and lock-in multiple macs.

The key is that mac-addresses are learned dynamically as traffic enters the switchport from the connected device. If the port is shutdown or the switch reloads the mac-address-to-switchport association is cleared from the tables. Of course you can also hard-code one or more mac-addresses to an interface if you don't want the switch to dynamically learn mac-addresses.

If you want the mac-address to remain associated with the switchport across reloads and port state changes, when using the dynamic mode, you use the "switchport port-security mac-address sticky" and then save your config after the mac-addresses are learned and "stuck" to an interface.

This is a pretty decent write-up on the port-security command:

http://www.cisco.com/en/US/docs/swi...ios/12.2SX/configuration/guide/port_sec.html.

Hope that helps,

Greg

 

[selcuks2001]

Hello again,
Let me tell you which problem I am facing with: Two of our customers are using the same brand switches which are Cisco 4500 Series.
MAC security is applied to all of the ports on the switches. But when a user wants to migrate from a port to another I am facing a "security violation" problem. i.e. When a user wants to migrate from GigabitEthernet6/3 to GigabitEthernet7/5 I am getting "security violation error" on the port GigabitEthernet7/5.
Let me type what I am doing before the user migration:
First I am clearing the port security command under the GigabitEthernet7/5 interface (new port) and then when I apply port security to the interface GigabitEthernet7/5 (new port) I am getting the same violation problem.
I have learnt a command which clears the MAC addresses from the ports which is "clear mac-address....(bla bla)". I also applied this command to the interface GigabitEthernet7/5 (new port). But then when I apply port security again I am getting the same port security violation error.
And unfortunately the result turned out to be that the migrated interface GigabitEthernet7/5 works without port security. But I am facing this problem not on all the ports of the switches. Only some ports behave like that.
Summary: A MAC address (user) migrates from port1 to port2. But when port security is applied to the new port (port2) a port security violation occurs.
Well as far as I understand from your posts, if I shut the interface and then "no shut" it then the problem will be solved? (Though I tried shut and no shut thing.)
Regards...
s^3