Comware

 View Only
last person joined: 18 hours ago 

Port-security autolearn no violation

This thread has been viewed 2 times
  • 1.  Port-security autolearn no violation

    Posted Oct 04, 2023 05:45 AM

    Hello,

    We want to implement simple endpoint security, which prevents any unknown devices to enter the network. I know it can be achieved with many great technologies, but we started with portsec. The use-case is: Autolearn mode with max count=1 and no aging. While clients do not move it is fine.

    Our problem arises when a client moves from one secure port to another (moves to new room, or whatever).

    Expected behaviour: Since it is a new MAC on the "new" port it should generate violation if that port already had a sticky mac. (I had to say, we tested on Cisco 1100 and it did generate violation) 

    What actually happened: The switch completely disregarded that this secure MAC belongs to another port. It did not generate any alarm. But, as the MAC table with the secure MAC still points to the other port, the endpoint was unable to access the network. It is a dream scenario for troubleshooting :) The port is UP, no alarm, but also no traffic.

    We tested it on 5500, 5130 and even 5140, and I am starting to beleive this is not a bug, but the intended behaviour :)

    Can anyone confirm?

    Thanks in advance,

    TB