OPERATIONAL DEFECT DATABASE
...
...
When configuring MAB/802.1X and port-security, if a user in Data VLAN is assigned Voice Domain as result of ISE auth policy or Critical Voice VLAN template, and continues sending traffic on Data VLAN, port-security ignores incoming packets and does not refresh/install the MAC in the MAC table / port-security table. "debug port-security" will show the following logs for received packets constantly: *May 23 23:20:48: PSECURE: swidb = GigabitEthernet3/0/48 mac_addr = cafe.cafe.cafa vlanid = 115 *May 23 23:20:48: PSECURE: PSECURE PKT ENQ: psecure receives a packet: addr = cafe.cafe.cafa, swidb = Gi3/0/48, vlan = 115, linktype = NullPak *May 23 23:20:48: PSECURE: mat_cookie=115 *May 23 23:20:48: PSECURE: Read:3238, Write:3239 Traffic will be accepted on ingress, as expected due to "no access-session voice skip-data-vlan" default configuration, and egress traffic will be forwarded as unknown unicast flooding. This can impact certain features that do not support flooding, such as DHCP Snooping.
MAC address previously learned on Data VLAN and secured by port-security, changes to Voice VLAN as result of ISE / Subscriber policy triggered change. Before Voice VLAN change - Data VLAN 115: *May 24 00:21:16: PSECURE: swidb = GigabitEthernet3/0/48 mac_addr = cafe.cafe.cafa vlanid = 115 *May 24 00:21:16: PSECURE: Adding cafe.cafe.cafa as dynamic on port Gi3/0/48 for vlan 115 Switch-LAB#show port-security int gi 3/0/48 add Secure Mac Address Table ------------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 115 cafe.cafe.cafa SecureDynamic Gi3/0/48 10 (I) ------------------------------------------------------------------------------- After Voice VLAN change - Voice VLAN 115: *May 24 00:30:30: PSECURE: psecure_del_addr: Deleting secure MAC address cafe.cafe.cafa on port: Gi3/0/48 *May 24 00:30:30: PSECURE: Adding address vlan 215 cafe.cafe.cafa to port-security Switch#show port-sec int gi 3/0/48 add ------------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age ---- ----------- ---- ----- ------------- 215 cafe.cafe.cafa SecureDynamic(Identity) Gi3/0/48 10 (I) ------------------------------------------------------------------------------- - Checking at EPC, it can be confirmed that traffic is still received on Data VLAN. The existing static entry in MAC table for the Data VLAN will not be refreshed, and will expire after Inactivity timer even though packets are received, and won't be re-installed after expiring in the MAC table.
- Do not use port-security inactivity/absolute timers in combination with Dot1x Critical Voice VLAN on Data Clients.
Affects Catalyst 9000 series with 16.12.5 and 17.3.3. When Port Security timers are used in combination with Critical VOICE VLAN on DATA clients. The DATA VLAN client is moved to Critical Voice VLAN when AAA server is down. Then if the port-security timers are enabled the MAC entry in the DATA VLAN will age out and get removed. Since this MAC has already been learned in the Voice VLAN it will not re-learn the MAC again in the DATA VLAN which will cause the data traffic from this MAC to flood. Similar to bug CSCvs91593, but port-security scenario is not covered there.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
