Campus Switching and Routing

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Mobility Access Switch: Port Security False Alarms?

I just deployed my first stack of mobility switches over the weekend and am having a recurring issue with ports error disabling because the MAC limit I set (to 1) is being exceeded.  I don't have any reason to believe that multiple devices are somehow connected to switchports via other switches/hubs/etc resulting in the port error-disabling.  In the logs, I'll see an STP change and then a message about the interface shutting down:

 

Oct 22 22:31:43 :340001: <WARN> |l2m| changing the instance 220 port GE1/0/18 state from FORWARDING to DISCARDING
Oct 22 22:31:43 :128002: <ERRS> |l2m| MAC limit exceeded on interface gigabitethernet1/0/18, shutting down interface



It would seem that the two are related, but I'm not sure how.

 

I'm also seeing a ton of the following STP messages logged prior to the port being error-disabled and don't know if they're related:

 

Oct 19 19:45:29 :340004:  <WARN> |l2m|  Flushing mac-addresses on GE1/0/18 vlan-id 1 due to STP topology change

 

Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Mobility Access Switch: Port Security False Alarms?

Thecompnerd,

When the mac-limit is being triggered, we are shutting down the port which changes its STP state from Forwarding to Discarding, so yes they are related. So are you sure that a second device is not being connected like a PC behind a phone?

 

With the flushing message (which we've improved in later releases), I suspect you haven't enabled portfast on those ports so when the port goes down it is causing a STP TCN to be sent out. I would highly recommend enabling portfast on access ports.

 

Best regards,

 

Madani

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Mobility Access Switch: Port Security False Alarms?

Madani,

 

Yes, I've confirmed that we don't have any VoIP phones at that location or any other devices that would share the port.

 

All of the error-disabled ports so far have portfast enabled.

 

I know on Cisco switches with port-security enabled, a port flapping event (i.e. bad cabling) would cause the port to error disable.  Will MAS also disable a port due to flapping?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 429
Registered: ‎05-30-2012

Re: Mobility Access Switch: Port Security False Alarms?

Thecompnerd,

Sorry for the delay responding.

 

We do not currently support error-disabling the port due to link-flap though its a good idea. I recommened you submit that to the idea portal.

 

Since portfast is enabled on your access ports, then the Flushing message is actually occuring due to a TCN recieved by your Trunk links or a flap on the trunk itself.

 

But back to the original mac-limit issue, what does this show:

 

show mac-learning-log | include GE1/0/18

 

Best regards,

 

Madani

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Mobility Access Switch: Port Security False Alarms?

[ Edited ]

No problem.

 

There are a lot of MAC learning events logged so I can't go back to last week when the issue occured on this particular port.  I was able to find another port that error disabled today, but the MAC log is only showing its learned the same MAC several times today.  It doesn't show any other MACs learned on the port.  I checked the port and it's admin up/link up, but there isn't a MAC in the address table for that interface.  Very odd.  I'm going to have someone trace the cable on that port and see if we can figure out where it's going since I'm not getting anything very helpful off the switch.  I'll keep you posted.

 

Also, I've enabled auto-recovery for error disabled ports so that I don't have to keep clearing ports.  Seems to have helped.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: