- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- HPE 5500 - MAC does not age with port-security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-14-2017 05:58 AM
тАО02-14-2017 05:58 AM
HPE 5500 - MAC does not age with port-security
Hello,
I have the following configuration for my switch, using 802.1x authentication plus some mac-auth for specific devices.
It works almost fine, but sometimes when a user changes from port A to port B, mac address learnt on port B does not age, so the user cannot authenticates on port B. This happens rarely.
interface GigabitEthernet3/0/33 port link-mode bridge port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 99 untagged port hybrid pvid vlan 99 voice vlan 6 enable mac-vlan enable poe enable stp edged-port enable port-security port-mode mac-else-userlogin-secure-ext dot1x re-authenticate dot1x guest-vlan 99 dot1x auth-fail vlan 99 undo dot1x handshake undo dot1x multicast-trigger dot1x eapol untag
# port-security enable port-security trap addresslearned # dot1x timer supp-timeout 10 dot1x authentication-method eap
I have the following logs when it happens:
Feb 13 15:26:03 2017 SW-DISTRIB-1 %%10RDS/6/RDS_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/33-VlanId=100-MACAddr=AA:BB:CC:DD:EE:FF-IPAddr=N/A-IPv6Addr=N/A-UserName=xxxx@domain; User got online successfully. Feb 13 15:26:03 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user passed 802.1X authentication and got online successfully. Feb 13 16:27:40 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user failed the 802.1X authentication. Feb 13 16:27:41 2017 SW-DISTRIB-1 %%10PORTSEC/5/PORTSEC_VIOLATION(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=-100-IfStatus=Up; Intrusion detected. Feb 13 16:29:53 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication. Feb 13 16:31:11 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication. Feb 13 16:31:11 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_MACAUTH_LOGOFF(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=aa-bb-cc-dd-ee-ff-UserNameFormat=MAC address; Session of the MAC-AUTH user was terminated. Feb 13 16:32:42 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication. Feb 13 16:32:54 2017 SW-DISTRIB-1 %%10RDS/6/RDS_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/42-VlanId=100-MACAddr=AA:BB:CC:DD:EE:FF-IPAddr=N/A-IPv6Addr=N/A-UserName=xxxx@domain; User got online successfully. Feb 13 16:32:54 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user passed 802.1X authentication and got online successfully.
Any idea how to decrease autolearning mac for 802.1x ?
Thanks for your support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2017 05:21 AM
тАО02-16-2017 05:21 AM
Re: HPE 5500 - MAC does not age with port-security
You mention a problem when user moves from A to B....but log already shows trouble on port A (line 3 and 4)
Feb 13 16:27:40 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user failed the 802.1X authentication.
Feb 13 16:27:41 2017 SW-DISTRIB-1 %%10PORTSEC/5/PORTSEC_VIOLATION(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=-100-IfStatus=Up; Intrusion detected.
Seems like this MAC address is 1st being blocked on Gi3/0/33, and after move to Gi3/0/42 the MAC address is still black-listed for 5 minutes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-01-2017 02:23 AM
тАО03-01-2017 02:23 AM
Re: HPE 5500 - MAC does not age with port-security
Hi,
I can reproduce the problem. It occurs when the user was plugged behind a VoIP phone or a desktop switch.
A - the user connect to the port 3/0/33, behind a desktop switch, 802.1x authentication is OK
B - he disconnect and reconnect to port 3/0/42:
B.1 - the MAC Address is still associatied to port 3/0/33 as the interface did not go down (due to the desktop switch)
B.2 - the user cannot authenticate as MAC Address is not associated to the correct interface
C - After the 802.1x reauth period, information about the user connection on the switch goes away, and he can connect again on the port 3/0/42
If I do not install a desktop switch on port 3/0/33, no issues. If I shutdown the port 3/0/33, same behaviour (user can connect again).
I've tried some configuration, without success:
mac-address mac-roaming enable
And
port-security timer autolearn aging 2 (global level)
port-security mac-address dynamic (interface level)
port-security mac-address aging-type inactivity (interface level)
Still no success..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-30-2017 01:50 PM - edited тАО03-30-2017 01:52 PM
тАО03-30-2017 01:50 PM - edited тАО03-30-2017 01:52 PM
Re: HPE 5500 - MAC does not age with port-security
Hi, I have the same problem you have. When you disconnect your computer from your voip phone, the hp switch does not now
that the dot1x client was disconnected. So, that 802.1x client is still authenticated in that switch port. If you connect that same computer in the same switch, the device will report intrusion detection. That is correct. How is it possible one mac-address that is authenticated in a port, request authentication in another port ? It is your voip phone that should tell the switch the 802.1x client was disconnected. This feature is sometimes called PROXY LOGOFF. When the computer is disconnected from the phone the phone sends an EAPOL Logoff message to the switch. Not every phones have this implementation but they should have. If you found anything different that works for you, please let me know.