Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
2
Replies

Mystery second MAC address causing errdisable

bernie
Level 1
Level 1

‎10-13-2007 02:40 AM - edited ‎03-05-2019 07:04 PM

I am having the same 2nd MAC show up on multiple ports causing the ports to errdisable from port security. The MAC address is from D-LINK but these are Windows PC's with no D-LINK cards. It appears to be confined to one VLAN that spans multiple switches. Any help would be appreciated.

Example 1:

Oct 2 12:27:25.940 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/27.

Oct 2 12:27:26.036 EDT: %PM-SP-STDBY-4-ERR_DISABLE: psecure-violation error detected on Fa1/27, putting Fa1/27 in err-disable state

Oct 2 14:05:18.930 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa1/79, putting Fa1/79 in err-disable state

Oct 2 14:05:18.934 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/79.

Example 2. Differnet switch

Oct 12 02:51:48.846 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa2/50, putting Fa2/50 in err-disable state

Oct 12 02:51:48.846 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet2/50.

Labels:
0 Helpful
2 Replies 2

Kevin Dorrell
Level 10
Level 10

‎10-13-2007 02:52 AM

These are access ports, are they? Have you investigated the machines connected to those ports. Are you sure this is not a rogue PC with two NICs that is doing bridging, or an unauthorised laptop?

The other thought is to see if there is any VMware (VMplayer etc.) or virtualisation on those machines. They can have virtual NICs with extra MAC addresses.

Finally, I have seen hosts that simply have bugs that just occasionally generate frames from strange MAC addresses. HP Digital Sender 9100C is a particular culprit: I have to allow 2 MAC addresses whenever I connect one of those.

Kevin Dorrell

Luxembourg

0 Helpful

bernie
Level 1
Level 1
In response to Kevin Dorrell

‎10-13-2007 03:11 AM

They are access ports for desktop PC's and are not running any type of VMware. The funny thing is that these desktop devices appear to generate the extra D-LINK MAC even when they are not being used, but are powered on. The timestamps in the examples are from overnights. It has however happened during the day.

It is not confined to a particular type of PC, floor, room, or device image. Port security is new to my facility, and we have approx 4000 ports working fine, but I am concerned that since this has happened to about 10 devices in the 3 weeks that we have been using port security it could be the tip of the iceberg. Also I should mention that when I shut- no shut to re-enable the port the problem has on most ports gone away. Only one PC had the problem contine through a couple of shut-no shuts and has now been fine for a week.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card