Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

many MAC addresses on same port

Hi,

We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.
We asked the user, he said he only restarted his computer.

The MAC addresses happen to be existing MAC on the network.

How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively? Has anybody experienced this same issue?

Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:35 10.100.254.11 1454806: May 25 15:19:38.226 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.30f9 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:42 10.100.254.11 1454807: May 25 15:19:45.575 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.304a on port FastEthernet1/0/42.

Thanks,

Wass

Everyone's tags (2)
8 REPLIES
Cisco Employee

many MAC addresses on same port

Hi,

Are you sure it was PC connected there during the issue? Could it be switch or wireless access point plugged in there for short time?

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards, Ivan Shirshin **Please grade this post if you find it useful.
New Member

many MAC addresses on same port

Yes we're sure. Users have no right to insert whatsoever device into the network.

VIP Super Bronze

many MAC addresses on same port

There could also be that some one purchased a hub and connected to the network.

New Member

many MAC addresses on same port

@Ivan and Reza: what you're saying is true in general, I agree with you. However, this particular user is one row away from my desk, I did not see him insert any device into the network. Besides, we collaborate on a trust basis since we are in the same department.

The issue appeared as soon as he restarted his computer. Does the switch keep a history of past known MAC addresses on a given port?

VIP Super Bronze

many MAC addresses on same port

Wass,

The switch does not keep track of past MAC addresses. You maybe able to look at the syslog server and find further info.

Does this person's system has only one NIC or multiple?

New Member

many MAC addresses on same port

MAC address      6416.8dbb.930e belongs to Cisco

                          78e3.b58f.1011 belongs to HP

                          0018.1000.30f9 & belongs to IPTrade S.A

New Member

many MAC addresses on same port

Hi,

Try to check if the PC is infected by virus that can caused MAC flooding.

New Member

many MAC addresses on same port

Reza, there's only one NIC on the PC.

Jong, part of the coporate security policy is to have each PC scanned against viruses and updated with latest security patches, each night. Besides, each viral infection is reported to a central console. So this assumption is weak.

Wass

2361
Views
0
Helpful
8
Replies
CreatePlease login to create content