I am having the same 2nd MAC show up on multiple ports causing the ports to errdisable from port security. The MAC address is from D-LINK but these are Windows PC's with no D-LINK cards. It appears to be confined to one VLAN that spans multiple switches. Any help would be appreciated.
Oct 2 12:27:25.940 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/27.
Oct 2 12:27:26.036 EDT: %PM-SP-STDBY-4-ERR_DISABLE: psecure-violation error detected on Fa1/27, putting Fa1/27 in err-disable state
Oct 2 14:05:18.930 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa1/79, putting Fa1/79 in err-disable state
Oct 2 14:05:18.934 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet1/79.
Example 2. Differnet switch
Oct 12 02:51:48.846 EDT: %PM-SP-4-ERR_DISABLE: psecure-violation error detected on Fa2/50, putting Fa2/50 in err-disable state
Oct 12 02:51:48.846 EDT: %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.ba08.bca2 on port FastEthernet2/50.
These are access ports, are they? Have you investigated the machines connected to those ports. Are you sure this is not a rogue PC with two NICs that is doing bridging, or an unauthorised laptop?
The other thought is to see if there is any VMware (VMplayer etc.) or virtualisation on those machines. They can have virtual NICs with extra MAC addresses.
Finally, I have seen hosts that simply have bugs that just occasionally generate frames from strange MAC addresses. HP Digital Sender 9100C is a particular culprit: I have to allow 2 MAC addresses whenever I connect one of those.
They are access ports for desktop PC's and are not running any type of VMware. The funny thing is that these desktop devices appear to generate the extra D-LINK MAC even when they are not being used, but are powered on. The timestamps in the examples are from overnights. It has however happened during the day.
It is not confined to a particular type of PC, floor, room, or device image. Port security is new to my facility, and we have approx 4000 ports working fine, but I am concerned that since this has happened to about 10 devices in the 3 weeks that we have been using port security it could be the tip of the iceberg. Also I should mention that when I shut- no shut to re-enable the port the problem has on most ports gone away. Only one PC had the problem contine through a couple of shut-no shuts and has now been fine for a week.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...