So it turns out - after connecting literally 40,000+ devices to the network since I posted this we have had to roll out this command to a significant portion of the network.
We have many device types that will never respond to ARP requests unless the command 'port-access allow-flood-traffic' is entered under the interface. If the client initiates the connection, the port will come up. Even something as simple as shutting down a port and bringing it back up again keeps the device offline for 10 minutes, and only if it decides to communicate first.
Why isn't this command enabled by default? ARP is an essential network protocol.
Unless there is a global command - I need to somehow push this to all edge ports on different models, different port counts, with different numbers of stacked switches or chassis line cards - it is going to be a mammoth task.
------------------------------
Brett V
------------------------------
Original Message:
Sent: Apr 01, 2024 04:00 AM
From: Shobana Nandakumar
Subject: Devices with single MAC address being blocked by port-security
"Port-Access allow-flood-traffic" CLI is recommended for clients which are non-chatty. When port-security is enabled on the port, both ingress/egress direction will be blocked until client onboard. Client you have mentioned here could be non-chatty/silent, so enabling this feature will open the egress direction of the port and it may wake up after receiving any arp broadcast packet. if you are fine with enabling the egress direction of the port , you can enable this CLI in all the edge ports.
------------------------------
Shobana
Aruba
Original Message:
Sent: Mar 07, 2024 09:14 PM
From: BrettV
Subject: Devices with single MAC address being blocked by port-security
Hi all,
I have come accross an issue in a greenfield deployment where some ports are being blocked by port-security even when they only have a single MAC address connected.
When I do a 'show interface physical' I see the following. I have hundreds of switches with the same issue. It's mostly the same device type, but not always.
show int physical | i blocked
1/5/3 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/5 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/7 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/9 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/12 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/14 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/6/34 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/6/38 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/22 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/26 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/30 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
Here is an example of one of the interface configs:
description xxxx
no shutdown
no routing
vlan access xxxx
spanning-tree bpdu-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
port-access security violation action shutdown
port-access security violation action shutdown auto-recovery enable
port-access security violation action shutdown recovery-timer 60
port-access port-security
enable
no lldp transmit
no lldp receive
loop-protect
exit
When I had the issue on a single device type at a previous customer site, TAC recommended using the command 'port-access allow-flood-traffic' in the interface context. So I tried this on all of the above ports on this site, and they now function correctly.
I'm not running dot1x.
Do I really need to go and add this command to all of the edge ports in my 1000+ switch network just in case they have this issue? Or have I likely hit a bug?
------------------------------
Brett V
------------------------------