Symptom
Having a trunk interface with native vlan configured, after the first link flap the "switchport port-security mac-address" command will add vlan 1 to it.
For example :
ZIKA#show run interface gig1/0/1
Building configuration...
Current configuration : 402 bytes
!
interface GigabitEthernet1/0/1
description test
switchport trunk native vlan 866
switchport trunk allowed vlan 866
switchport mode trunk
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address XXXX.XXXX.XXXX
switchport port-security
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast trunk
end
After a link flap:
ZIKA#show run interface gig1/0/1
Building configuration...
Current configuration : 402 bytes
!
interface GigabitEthernet1/0/1
description test
switchport trunk native vlan 866
switchport trunk allowed vlan 866
switchport mode trunk
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address XXXX.XXXX.XXXX vlan 1 --> vlan 1 is added
switchport port-security
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast trunk
spanning-tree bpduguard enable
end
Conditions
+ Running IOS 17.3.x , 17.6.x or 17.8.x.
+ Having a trunk interface with native vlan configured.
+ Having "switchport port-security mac-address " command configured.
Workaround
+ rollback to 16.12.x IOS versions.
+changing the port back to access mode with no native vlan configured.
Further Problem Description
+ The issue is reproduced after the first link flap , and sometime after doing a "write" command.
+ it will cause a catastrophic outage.
