Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Mystery second MAC address causing errdisable

I am having the same 2nd MAC show up on multiple ports causing the ports to errdisable from port security. The MAC address is from D-LINK but these are Windows PC's with no D-LINK cards. It appears to be confined to one VLAN that spans multiple switches. Any help would be appreciated.

Example 1:

Oct 2 12:27:25.940 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/27.

Oct 2 12:27:26.036 EDT: %PM-SP-STDBY-4-ERR_DISABLE: psecure-violation error detected on Fa1/27, putting Fa1/27 in err-disable state

Oct 2 14:05:18.930 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa1/79, putting Fa1/79 in err-disable state

Oct 2 14:05:18.934 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/79.

Example 2. Differnet switch

Oct 12 02:51:48.846 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa2/50, putting Fa2/50 in err-disable state

Oct 12 02:51:48.846 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet2/50.

2 REPLIES

Re: Mystery second MAC address causing errdisable

These are access ports, are they? Have you investigated the machines connected to those ports. Are you sure this is not a rogue PC with two NICs that is doing bridging, or an unauthorised laptop?

The other thought is to see if there is any VMware (VMplayer etc.) or virtualisation on those machines. They can have virtual NICs with extra MAC addresses.

Finally, I have seen hosts that simply have bugs that just occasionally generate frames from strange MAC addresses. HP Digital Sender 9100C is a particular culprit: I have to allow 2 MAC addresses whenever I connect one of those.

Kevin Dorrell

Luxembourg

New Member

Re: Mystery second MAC address causing errdisable

They are access ports for desktop PC's and are not running any type of VMware. The funny thing is that these desktop devices appear to generate the extra D-LINK MAC even when they are not being used, but are powered on. The timestamps in the examples are from overnights. It has however happened during the day.

It is not confined to a particular type of PC, floor, room, or device image. Port security is new to my facility, and we have approx 4000 ports working fine, but I am concerned that since this has happened to about 10 devices in the 3 weeks that we have been using port security it could be the tip of the iceberg. Also I should mention that when I shut- no shut to re-enable the port the problem has on most ports gone away. Only one PC had the problem contine through a couple of shut-no shuts and has now been fine for a week.

483
Views
0
Helpful
2
Replies
CreatePlease to create content