Preview Tool

Cisco Bug: CSCuq66142 - Provide a mechanism to protect mac-addresses from being secured

Last Modified

Sep 14, 2019

Products (1)

  • Cisco Catalyst 6000 Series Switches

Known Affected Releases


Description (partial)

In Catalyst 6500, a mac-address entry in the CAM table does not have a port listed.

Switch#show mac-address address 0023.abd6.9000
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available
  vlan   mac address     type    learn     age              ports
*  998  0023.abd6.9000   dynamic  Yes          0           <<===

Switch#sh mac-address-table address 0023.abd6.9000 detail
MAC Table shown in details
PI_E RM  RMA Type Alw-Lrn Trap Modified Notify Capture Flood   Mac  Address  Age  Pvlan  SWbits Index  XTag
Yes  No   No  DY    Yes    Yes    No      No     No     No    0023.abd6.9000 0x04 106    0      0xA019 0

"Trap" flag is set to "Yes".
This issue occurs when the frame from the default-gateway is looped by a end-host and the port is configured with Dot1x in restrict mode. Under this scenario, when authentication fails, system installs the mac-address with a drop result.

Catalyst 6500 running 12.2(33)SXI or later release.
Dot1x authentication violation mode set to "restrict".
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.