Guest

Preview Tool

Cisco Bug: CSCvs49787 - MAC Address learning failed due to unexpected "port-security" function remaining enabled

Last Modified

Jun 18, 2020

Products (9)

  • Cisco Nexus 7000 Series Switches
  • Cisco Nexus 7000 10-Slot Switch
  • Cisco Nexus 7000 4-Slot Switch
  • Cisco Nexus 7700 6-Slot Switch
  • Cisco Nexus 7000 18-Slot Switch
  • Cisco Nexus 7700 18-Slot Switch
  • Cisco Nexus 7000 9-Slot Switch
  • Cisco Nexus 7700 2-Slot Switch
  • Cisco Nexus 7700 10-Slot Switch

Known Affected Releases

8.1(1) 8.4(1)

Description (partial)

Symptom:
Traffic won't pass due to unexpected "port-security" function remaining enabled, 
even when it's not configured within the said interface.

Conditions:
Having interface configured with "port-security" once, "port-security" function will remain
enabled even after changing interface to default, and re-configuring without "port-security".

n7k# show running-config interface ethernet 5/10

!Command: show running-config interface Ethernet5/10
!Time: Mon Nov 11 15:33:47 2019

version 8.1(1)

interface Ethernet5/10
  switchport access vlan 100
  spanning-tree port type edge
  spanning-tree bpdufilter enable
  link debounce time 0
  logging event port link-status
  no logging event port trunk-status
  storm-control broadcast level 0.01
  storm-control multicast level 0.01
  channel-group 1210 mode active
  no shutdown

n7k# show running-config interface port-channel 1210

!Command: show running-config interface port-channel1210
!Time: Mon Nov 11 15:34:09 2019

version 8.1(1)

interface port-channel1210
  description TEST_20191105
  switchport access vlan 100
  spanning-tree port type edge
  spanning-tree bpdufilter enable
  logging event port link-status
  storm-control broadcast level 0.01
  storm-control multicast level 0.01
  switchport port-security aging type inactivity
  switchport port-security aging time 5
  switchport port-security maximum 3
  switchport port-security
  mac packet-classify
  service-policy type qos input TEST

n7k# 

configure terminal

interface po1210
  shutdown

interface Eth5/10
  shutdown

end

configure terminal

interface Eth5/10
  no channel-group 1210
  no description
  no switchport access vlan 100
  no spanning-tree port type edge
  no spanning-tree bpdufilter enable
  no link debounce time 0
  logging event port link-status default
  no storm-control broadcast level
  no storm-control multicast level


no interface po1210

end

n7k# show running-config interface ethernet 5/10

!Command: show running-config interface Ethernet5/10
!Time: Mon Nov 11 15:45:51 2019

version 8.1(1)

interface Ethernet5/10
  no logging event port trunk-status

n7k# show running-config interface po1210
                                                 ^
Invalid range at '^' marker.
n7k#


n7k# show running-config interface ethernet 5/10

!Command: show running-config interface Ethernet5/10
!Time: Mon Nov 11 15:47:37 2019

version 8.1(1)

interface Ethernet5/10
  switchport access vlan 100
  spanning-tree port type edge
  spanning-tree bpdufilter enable
  link debounce time 0
  logging event port link-status
  no logging event port trunk-status
  storm-control broadcast level 0.01
  storm-control multicast level 0.01
  mac packet-classify
  service-policy type qos input TEST
  no shutdown

n7k# show interface status | grep 5/10
Eth5/10          TEST_NF         connected 100       full    a-10G   10Gbase-SR

n7k# show interface ethernet 5/10
Ethernet5/10 is up
admin state is up, Dedicated Interface
  Hardware: 1000/10000 Ethernet, address: 00cc.fc48.ae01 (bia 00cc.fc48.ae01)
  Description: TEST_NF
/SNIP/
  Load-Interval #1: 30 seconds
    30 seconds input rate 10168 bits/sec, 9 packets/sec <<<
    30 seconds output rate 13304 bits/sec, 12 packets/sec <<<
    input rate 10.17 Kbps, 9 pps; output rate 13.30 Kbps, 12 pps
  Load-Interval #2: 5 minute (300 seconds)
    300 seconds input rate 7232 bits/sec, 6 packets/sec  <<<
    300 seconds output rate 9256 bits/sec, 9 packets/sec <<<<
    input rate 7.23 Kbps, 6 pps; output rate 9.26 Kbps, 9 pps
  RX
    734 unicast packets  0 multicast packets  0 broadcast packets
    734 input packets  93824 bytes

n7k# show mac address-table  | grep 5/10
n7k#

Packets are arriving at the related interface, 
but MAC address is not learned, so traffic don't pass.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.