Hi all,
I have come accross an issue in a greenfield deployment where some ports are being blocked by port-security even when they only have a single MAC address connected.
When I do a 'show interface physical' I see the following. I have hundreds of switches with the same issue. It's mostly the same device type, but not always.
show int physical | i blocked
1/5/3 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/5 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/7 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/9 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/12 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/5/14 5G-SmartRate blocked up 100M-FDx auto -- off 0.00 100M/1G/2.5G/5G
1/6/34 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/6/38 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/22 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/26 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
1/7/30 5G-SmartRate blocked up 1G auto -- off 0.00 100M/1G/2.5G/5G
Here is an example of one of the interface configs:
description xxxx
no shutdown
no routing
vlan access xxxx
spanning-tree bpdu-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
port-access security violation action shutdown
port-access security violation action shutdown auto-recovery enable
port-access security violation action shutdown recovery-timer 60
port-access port-security
enable
no lldp transmit
no lldp receive
loop-protect
exit
When I had the issue on a single device type at a previous customer site, TAC recommended using the command 'port-access allow-flood-traffic' in the interface context. So I tried this on all of the above ports on this site, and they now function correctly.
I'm not running dot1x.
Do I really need to go and add this command to all of the edge ports in my 1000+ switch network just in case they have this issue? Or have I likely hit a bug?
------------------------------
Brett V
------------------------------