Symptom

Customer has a bgp evpn setup and port-security is a must. The mac address will not be installe in L2route table when port-security is enabled, it is working when port-security is disable. Issue is seen on 9.2.2 and 9.2.3, not seen on 9.2.1. N9K-C9364C-2# sh mac address-table vlan 10 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ * 10 7483.ef26.2939 secure - T F Po6 N9K-C9364C-2# sh l2route evpn mac evi 10 Flags -(Rmac):Router MAC (Stt):Static (L):Local (R):Remote (V):vPC link (Dup):Duplicate (Spl):Split (Rcv):Recv (AD):Auto-Delete (D):Del Pending (S):Stale (C):Clear, (Ps):Peer Sync (O):Re-Originated (Nho):NH-Override (Pf):Permanently-Frozen, (Orp): Orphan Topology Mac Address Prod Flags Seq No Next-Hops ----------- -------------- ------ ------------- ---------- ---------------- - not working, 9.2.2 or 9.2.3: HW:N9K-C9364C SW: nxos.9.2.2.bin N9K-C9364C-2# sh mac address-table vlan 10 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ * 10 7483.ef26.2939 secure - T F Po6 N9K-C9364C-2# sh l2route evpn mac evi 10 Flags -(Rmac):Router MAC (Stt):Static (L):Local (R):Remote (V):vPC link (Dup):Duplicate (Spl):Split (Rcv):Recv (AD):Auto-Delete (D):Del Pending (S):Stale (C):Clear, (Ps):Peer Sync (O):Re-Originated (Nho):NH-Override (Pf):Permanently-Frozen, (Orp): Orphan Topology Mac Address Prod Flags Seq No Next-Hops ----------- -------------- ------ ------------- ---------- ---------------- N9K-C9364C-2# sh bgp l2vpn evpn BGP routing table information for VRF default, address family L2VPN EVPN BGP table version is 1, Local Router ID is 2.2.2.2 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - best2 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 2.2.2.2:32777 (L2VNI 50010) l[3]:[0]:[32]:[12.12.12.12]/88 12.12.12.12 100 32768 i Route Distinguisher: 2.2.2.2:32787 (L2VNI 50020) l[3]:[0]:[32]:[12.12.12.12]/88 12.12.12.12 100 32768 i - it is working on 9.2.1 - it is working on 9.2.2 without port-security. N9K-C9364C-1# show mac address-table vlan 10 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ * 10 7483.ef26.2838 dynamic 0 F F Po5 N9K-C9364C-1# show l2route evpn mac evi 10 Flags -(Rmac):Router MAC (Stt):Static (L):Local (R):Remote (V):vPC link (Dup):Duplicate (Spl):Split (Rcv):Recv (AD):Auto-Delete (D):Del Pending (S):Stale (C):Clear, (Ps):Peer Sync (O):Re-Originated (Nho):NH-Override (Pf):Permanently-Frozen Topology Mac Address Prod Flags Seq No Next-Hops ----------- -------------- ------ ------------- ---------- ---------------- 10 7483.ef26.2838 Local L, 0 Po5 N9K-C9364C-1# show bgp l2vpn evpn BGP routing table information for VRF default, address family L2VPN EVPN BGP table version is 71, Local Router ID is 1.1.1.1 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-injected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - best2 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1.1.1.1:32777 (L2VNI 50010) *>l[2]:[0]:[0]:[48]:[7483.ef26.2838]:[0]:[0.0.0.0]/216 12.12.12.12 100 32768 i *>l[2]:[0]:[0]:[48]:[7483.ef26.2838]:[32]:[10.0.10.11]/248 12.12.12.12 100 32768 i - configuration on interface N9K-C9364C-1# show run int p05 !Command: show running-config interface port-channel5 !Running configuration last done at: Tue Feb 19 05:16:46 2019 !Time: Tue Feb 19 05:21:08 2019 version 9.2(2) Bios:version 05.33 interface port-channel5 description Stackpath_B switchport switchport access vlan 10 spanning-tree port type edge spanning-tree bpduguard enable spanning-tree guard root spanning-tree bpdufilter enable storm-control broadcast level 0.34 switchport port-security switchport port-security mac-address 7483.EF26.2838 <<<<

Conditions

when port-security is enabled with static-secure mac config

Workaround

Make sure to program the port with port-security config, ahead of the static-secure mac config on the port.

Further Problem Description