Understanding Port-Security in Trunks

Hi Gs,

I have configured port-security in trunk ports and I have come across
the following issue. When the port has the following configuration
applied:

interface FastEthernet0/6
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 67,146
 switchport mode trunk
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan 67,146
 switchport port-security
 switchport port-security aging time 10
 switchport port-security violation protect
 switchport port-security aging type inactivity

The port is only learning one mac-address, either for VLAN 67 or VLAN
146. I thought that the command "switchport port-security maximum 2"
defined the maximum number of mac-addresses that could be learned on
the port, and the command "switchport port-security maximum 1 vlan
67,146" defined the maximum number of mac-address per-VLAN. However
somehow it looks like the latter command also defines the maximum
number of mac-address for the port. These are the outputs of the show
commands:

Rack1SW2#sh port-security interface fa0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001d.4687.fb90:146
Security Violation Count : 0

Rack1SW2#sh port-security interface fa0/6 vlan 67
Default maximum: not set, using 6144
VLAN Maximum Current
   67 1 0
Rack1SW2#sh port-security interface fa0/6 vlan 146
Default maximum: not set, using 6144
VLAN Maximum Current
  146 1 1

Althoug the output of these commands indicate that, in fact, up to two
mac-addresses can be learned on the port, and one address can be
learned for each VLAN on the port, this doesn't seem to be working:

Rack1SW2#sh mac add int fa0/6
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
 146 001d.4687.fb90 STATIC Fa0/6
Total Mac Addresses for this criterion: 1

Now, if I change "switchport port-security maximum 1 vlan 67,146" for
" switchport port-security maximum 2 vlan 67,146", the issue is gone
and the port now learns mac-addresses for boh VLANs.

interface FastEthernet0/6
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 67,146
 switchport mode trunk
 switchport port-security maximum 2
 switchport port-security maximum 2 vlan 67,146
 switchport port-security
 switchport port-security aging time 10
 switchport port-security violation protect
 switchport port-security aging type inactivity

Rack1SW2#sh port-security interface fa0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Protect
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001d.4687.fb90:67
Security Violation Count : 0

Rack1SW2#sh port-security interface fa0/6 vlan 67
Default maximum: not set, using 6144
VLAN Maximum Current
   67 2 1
Rack1SW2#sh port-security interface fa0/6 vlan 146
Default maximum: not set, using 6144
VLAN Maximum Current
  146 2 1

Rack1SW2#sh mac add int fa0/6
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
  67 001d.4687.fb90 STATIC Fa0/6
 146 001d.4687.fb90 STATIC Fa0/6
Total Mac Addresses for this criterion: 2

I am running image "flash:c3560-advipservicesk9-mz.122-44.SE2.bin"

Am I misunderstanding something here?

Thanks,
Jorge

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 09 2010 - 12:51:17 ART