3 Replies Latest reply on Mar 8, 2018 11:35 AM by bourlis

    UDT discovering STATIC MACs versus DYNAMIC MACs

    bourlis

      I need assistance from the collective.  Here’s the issue:

       

      We implemented Cisco Port-Security sometime ago to lock down VoIP phones for e911.  I believe just I found an issue with UDT and Cisco Port-Security and how MAC addresses are discovered.

       

      Here’s a breakdown:

       

      We have a Cisco 3650-48 PS.  Some ports have port-security enabled some don't  For a switchport with a VoIP phone and a PC and with Port-Security disabled UDT shows both the PC and the VoIP phone.  However on the switchport that has port-security enabled UDT only shows the PC.  The port without port-security lists the MAC address as DYNAMIC while the port with port-security shows the MAC address as STATIC.  A quick Cisco document confirmed this was a valid thing, so my next logical set was to remove port-security to see what Solarwinds would do.

       

      Here's the results:

       

      # sh run int gig 1/0/2

      Description no port-security

      Switchport access vlan 99

      Switchport mode access

      Switchport voice vlan 199

      Switchport port-security maximum 2

      Switchport port-security violation restrict

      !

      #Sh mac address-table int gig 1/0/2

      Vlan       Mac Address           Type                      Ports

      -------     ----------------            -----                        ------

      99           0024.b5xx.xxxx      DYNAMIC            Gi1/0/2

      99           1803.73xx.xxxx      DYNAMIC            Gi1/0/2

      199         0024.b5xx.xxxx      DYNAMIC            Gi1/0/2

       

      <UDT shows both MAC addresses>

       

      # sh run int gig 1/0/7

      Description port-security

      Switchport access vlan 99

      Switchport mode access

      Switchport voice vlan 199

      Switchport port-security

      Switchport port-security maximum 2

      Switchport port-security violation restrict

      !

      #Sh mac address-table int gig 1/0/2

      Vlan       Mac Address           Type                      Ports

      -------     ----------------            -----                        ------

      99           1803.73xx.xxxx      STATIC                  Gi1/0/7

      199         0016.65xx.xxxx      STATIC                  Gi1/0/7

       

      <UDT only shows one MAC address, the PC on vlan 99. UDT will not show the other MAC address no matter what I did>

      <That is until I did the following>

       

      #config t

      (config)# int gig 1/0/7

      (config-if) no switchport port-security

      Exit

       

      <now the fun part>

       

      #Sh mac address-table int gig 1/0/7

      Vlan       Mac Address           Type                      Ports

      -------     ----------------              -----                        ------

      99           1803.73xx.xxxx      DYNAMIC            Gi1/0/7

      199         0016.65xx.xxxx      DYNAMIC            Gi1/0/7

       

      <Rediscovered the switch and suddenly UDT is showing both of the MAC address for interface Gi 1/0/7>

       

      So here’s that I need assistance with. 

       

      A – Can someone reproduce this in your environment?

      B – Can someone “in the know” please confirm if UDT only discovers DYNAMIC MAC addresses?

       

      If both are a yes then a enhancement request needs to be made that allows UDT to discover both STATIC and DYNAMIC MAC addresses. And if that’s not possible and a bad idea please explain why.

        • Re: UDT discovering STATIC MACs versus DYNAMIC MACs
          mesverrum

          Whenever something strange seems to be happening in UDT i always go to the source, use SNMP to query your device under all of the scenarios you tested.  If somehow cisco is restricting the output of their devices based on the security setting then Solarwinds is only going to show the information they present, and the place to make your feature request would be at Cisco.  UDT doesn't utilize the CLI to get info like that so there is not much value in comparing it to the CLI outputs.

          • Re: UDT discovering STATIC MACs versus DYNAMIC MACs
            rschroeder

            I verify seeing the same behavior in my Cisco network.

             

            But consider tweaking your testing slightly, just to be 100% certain of the actual cause and condition.  We all expect that disabling port-security on a switchport "should be" all that is taken into account by the switch, no matter what other port-security settings are present.  But you've left other port-security settings present on the port while disabling port-security.  I'd just want to KNOW that those "unused" port-security settings do not in any way affect how the switch reacts to data & VoIP VLAN MAC addresses when port-security is not enabled on the port.

             

            Does the port react the same way for MAC address counts when you also remove ALL port-security settings while disabling port-security on the port?  Or do you see different behavior when you have "port-security maximum" and "port-security violation" commands present on the same port for which port-security has been disabled, but not totally removed?

              • Re: UDT discovering STATIC MACs versus DYNAMIC MACs
                bourlis

                rschroeder

                 

                 

                It has been my experience that the switch ignores any remaining port-security command lines as the feature is disabled by the "no switchport port-security" command.  In fact that is our default configuration for switches, all switches have the port-security commands minus the command that enables it.  Nodes on the switch can move around freely and UDT is updated when a discovery is ran.

                 

                Hopefully I'm answering your question correctly.