Printers Trigger Port Security

Unanswered Question
May 27th, 2009
User Badges:

Hi all,

I hope I'm posting this to the correct area, please do let me know if this post would be more appropriate in another area.

We have deployed 3560s with IOS ver 12.2 <25> sec. in our distribution closets and have engaged port security on all of them. We have port security configured to sticky the MACs and to shut down the ports in the event of a violation.

I have three separate incidences, on three separate switches, where three different printers of different manufacturers are intermittently triggering port security.

We're %100 sure that we do not have a case of someone trying to connect an unauthorized device to the port, and the problem occurs at different times of the day.

There are times when the port will error down several times over the course of an hour, and then again we may go a couple of weeks without incident.

I had enabled logging on the switches, but there wasn't any useful information within the logs. They simple indicate that the port went down.

Anyone have a clue as to what may be causing these printers to trigger port security?

Regards to all

Larry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darren-carr Wed, 05/27/2009 - 16:16
User Badges:

Hi Larry


What a strange issue. I have experienced something similar not so long ago. Our issue was down to a malfunctioning cheap print server attached to the printer.


Couple of questions... have you captured the MAC address that causes the violation on the port and compared this to the printer that is attached to ensure they are the same?


Have you also tried maybe increasing the count of allowed addresses to '2' to see if multiple addresses are added to the port. Maybe use the results of this to track down the hosts on the network?


D

lbrusso6824 Thu, 05/28/2009 - 05:57
User Badges:

Hi D,

First, thank you for taking the time to reply. I did enable logging, but the log file didn't contain any information that would indicate a captured MAC.

A (sho port-security address) only results in displaying the MAC of the sticky printer, not the intruder.

We're 100% confident that no one is messing with the port, I've watched the video myself.

Is there some other place or command I could be using that would indicate an unrecognized MAC?


Duh.... I didn't think of increasing the sticky allowed number to see if it will snag more MAC addresses. I'll do that today!!!

Thanks for pulling my head out of... the sand. :)

regards

Larry

Kevin Brennan Thu, 05/28/2009 - 02:43
User Badges:
  • Bronze, 100 points or more

Hi Larry,


I've seen some of the larger multifunction printers do things like this. Some of them have an internal switch to network the scanner/printer/fax/etc components together.


Maybe this is what's causing the violation?


Kevin

Actions

This Discussion