Wired Intelligent Edge

Hi all,

I have come accross an issue in a greenfield deployment where some ports are being blocked by port-security even when they only have a single MAC address connected.

When I do a 'show interface physical' I see the following. I have hundreds of switches with the same issue. It's mostly the same device type, but not always.

show int physical | i blocked

1/5/3       5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                        
1/5/5       5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                        
1/5/7       5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                        
1/5/9       5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                        
1/5/12      5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                    
1/5/14      5G-SmartRate   blocked  up       100M-FDx auto      --       off      0.00      100M/1G/2.5G/5G                        
1/6/34      5G-SmartRate   blocked  up       1G       auto      --       off      0.00      100M/1G/2.5G/5G                        
1/6/38      5G-SmartRate   blocked  up       1G       auto      --       off      0.00      100M/1G/2.5G/5G                       
1/7/22      5G-SmartRate   blocked  up       1G       auto      --       off      0.00      100M/1G/2.5G/5G                        
1/7/26      5G-SmartRate   blocked  up       1G       auto      --       off      0.00      100M/1G/2.5G/5G                        
1/7/30      5G-SmartRate   blocked  up       1G       auto      --       off      0.00      100M/1G/2.5G/5G                       

Here is an example of one of the interface configs:

 description xxxx
    no shutdown
    no routing
    vlan access xxxx
    spanning-tree bpdu-guard
    spanning-tree tcn-guard
    spanning-tree port-type admin-edge
    port-access security violation action shutdown
    port-access security violation action shutdown auto-recovery enable
    port-access security violation action shutdown recovery-timer 60
    port-access port-security
        enable
    no lldp transmit
    no lldp receive
    loop-protect
    exit

When I had the issue on a single device type at a previous customer site, TAC recommended using the command 'port-access allow-flood-traffic' in the interface context. So I tried this on all of the above ports on this site, and they now function correctly.

I'm not running dot1x.

Do I really need to go and add this command to all of the edge ports in my 1000+ switch network just in case they have this issue? Or have I likely hit a bug?

"Port-Access allow-flood-traffic" CLI is recommended for clients which are non-chatty. When port-security is enabled on the port, both ingress/egress direction will be blocked until client onboard. Client you have mentioned here could be non-chatty/silent, so enabling this feature will open the egress direction of the port and it may wake up after receiving any arp broadcast packet. if you are fine with enabling the egress direction of the port , you can enable this CLI in all the edge ports.