No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Client interface shutdown after reboot on AR550

Publication Date:  2019-07-17  |   Views:  414  |   Downloads:  0  |   Author:  SU1001719978  |   Document ID:  EKB1000090470

Contents

Issue Description

If customer would restart the router(with reboot command or by cutting electrical power), their client interfaces (IP camera) became administratively shutdown once router is booted up. Topology as below:

Alarm Information

Down state for every interface connected to the IP cameras after router reboots:


display interface before reboot:

Ethernet0/0/0 current state : UP
Line protocol current state : UP
Description:ETC80020_MAC-0000-541E-F20F
Switch Port, PVID :  115, TPID : 8100(Hex), The Maximum Frame Length is 1628
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is aaaa-aaaa-aaaa
Last physical up time   : 2015-11-06 14:56:55 UTC+01:00
Last physical down time : 2015-11-06 14:23:39 UTC+01:00
Current system time: 2015-11-09 12:14:15+01:00
Port Mode: COMMON COPPER
Speed :  100,  Loopback: NONE
Duplex: FULL,  Negotiation: ENABLE
Mdi   : AUTO,  Clock   : -
Last 300 seconds input rate 32920 bits/sec, 48 packets/sec
Last 300 seconds output rate 29336 bits/sec, 52 packets/sec
Input peak rate 35088 bits/sec,Record time: 2015-11-07 02:54:42
Output peak rate 42352 bits/sec,Record time: 2015-11-09 11:50:24


display interfaces after reboot :

Ethernet0/0/0 current state : Administratively DOWN
Line protocol current state : DOWN
Description:ETC80020_MAC-0000-541E-F20F
Switch Port, PVID :  115, TPID : 8100(Hex), The Maximum Frame Length is 1628
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is aaaa-aaaa-aaaa
Last physical up time   : 2015-11-09 12:20:35 UTC+01:00
Last physical down time : 2015-11-09 12:20:44 UTC+01:00
Current system time: 2015-11-09 13:56:32+01:00
Port Mode: COMMON COPPER
Speed :  100,  Loopback: NONE
Duplex: FULL,  Negotiation: ENABLE
Mdi   : AUTO,  Clock   : -
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 0 bits/sec,Record time: -
Output peak rate 0 bits/sec,Record time: -

Handling Process

1. We had to check the port configuration toward IP cameras.


#
interface Ethernet0/0/6
port link-type access
port default vlan 113
stp edged-port enable
arp anti-attack check user-bind enable
ip source check user-bind enable
port-security enable
port-security protect-action shutdown
port-security mac-address sticky
dhcp snooping enable
dhcp snooping check user-bind enable
#

Intersting thing was that port-security was configured on the port that could cause shutdown action but why is going to shutdown if there is one IP camera connected ? By default, one mac can be learned. port-security mac-address sticky  command sticks the MAC-address even after reboot. What happens after reboot ? the only explanation we could find is that IP camera initiates traffic with other source-mac which was causing port to take protect-action and to go in shutdown phase.


2. We advised customer to configure command port-security max-mac-num 100 on the ports and to check whether after reboot the AR router the ports are still in shutdown phase.


3. Customer added the command and interfaces stayed up after reboot and the initial assumption was right.


Root Cause

Actually the port-security max-mac-num command sets the maximum number of secure MAC addresses that can be learned on an interface. By default, only one MAC address can be learned on an interface. Having port-security mac-address sticky command it will record only one MAC also after reboot. Therefore we were thinking that the device connected to the interface might send frames with different MAC-address than the one learnt by the MAC table and would exceed the threshold of one MAC and would perform the action of command port-security protect-action shutdown which shuts down the port.


#
interface Ethernet0/0/6
port link-type access
port default vlan 113
stp edged-port enable
arp anti-attack check user-bind enable
ip source check user-bind enable
port-security enable
port-security protect-action shutdown
port-security mac-address sticky
dhcp snooping enable
dhcp snooping check user-bind enable
#

Solution

We advised customer to configure command port-security max-mac-num 100 on the ports.

Suggestions

none.