11-16-2006 06:51 AM - edited 03-05-2019 12:51 PM
I had a problem with a device that suddenly was disconnected by PortSecurity but there was no MAC Address change.
This is the logger:
Nov 15 21:12:02: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 5258.5f55.55c5 on port FastEthernet0/28.
Any help will be well thanked and rated!
Solved! Go to Solution.
11-16-2006 12:19 PM
Hi,
provided your box is Cat3550 you may be hitting CSCeg50665 bug with the following symptoms:
Randomly several times per day 3550 switches report port-security violations due to "ghost" MAC
addresses appearing randomly in the network. These MAC addresses result in error-disabled
ports (according to the configuration), but investigation indicates that these are phantom MAC
addresses, and no physical changes have occured nor PCs have been moved.
The addresses that we marked as ghost MAC addresses are almost always the same three:
- 5e-55-35-55-55-56;
- 52-58-5f-55-55-5c;
- e8-be-5d-d3-55-58.
This should be fixed since 12.2(25)SEE and 12.1(22)EA7.
Best regards,
Antonin
11-16-2006 06:58 AM
Hi Eloy,
Can you confirm what is connected on this switchport?
Ankur
11-16-2006 10:24 AM
Ankbhasi,
I have connected a desktop PC to the switchport.
Both ports (on the switch and on the PC are autosensing)
Thanks.
11-16-2006 07:36 AM
Hi,
In addition to Ankur's post, Can you paste " show run interface fa 0/28" and "show port-security interface fa 0/28 ". Alo " show log "
-amit singh
11-16-2006 10:19 AM
Hello Amit,
Here are de sh run's you asked for...
1)
Lev_Piso1A#sh run int fas 0/28
Building configuration...
Current configuration : 268 bytes
!
interface FastEthernet0/28
description Mildred Aragon
switchport access vlan 27
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000d.561f.bca6
spanning-tree portfast
end
2)
Lev_Piso1A#sh port-security interface fastEthernet 0/28
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 000d.561f.bca6
Security Violation Count : 0
Thanks.
11-16-2006 10:34 AM
This mean only the mac address that you have configured that ends with bca6 is allowed.
The error messages means it saw traffic with a mac address of 5258.5f55.55c5 on the port and locked it. Now your issue will be to find out how that mac address got on the port.
Either someone plugged in another device or the pc that has mac 000d.5611.bca6 can send packets with other mac addresses.
11-16-2006 10:45 AM
tdrais,
I confirm to you that no one connected another device on the port. This message has appeared before, and it is always the same mac address.
I will tell you like the dead Doc on "I Robot" ?How that MAC address got on the port?
Thats the right question...
Thanks.
11-16-2006 11:58 AM
This could be a software issue on the PC. I had a dual nic machine that at times would send broadcast packets out both nic interfaces with the same mac.
The nic card does not validate outgoing traffic. This "feature" is used by some denial of service attacks to overflow a switch mac table.
In your case it is most likely a just a bug.
11-16-2006 12:57 PM
I confirm to you that the PC has no software or hardware whatsoever to generate another MAC Address (no virtual machines or double NICs) so that is not the problem.
The over flow service attack is not possible to happen because it is a restricted switch and has no connection whatsoever to the outside world (internet provider). It would have to be an inside attacker and we already covered our backs from that possible event.
Thanks tdrais.
11-16-2006 12:19 PM
Hi,
provided your box is Cat3550 you may be hitting CSCeg50665 bug with the following symptoms:
Randomly several times per day 3550 switches report port-security violations due to "ghost" MAC
addresses appearing randomly in the network. These MAC addresses result in error-disabled
ports (according to the configuration), but investigation indicates that these are phantom MAC
addresses, and no physical changes have occured nor PCs have been moved.
The addresses that we marked as ghost MAC addresses are almost always the same three:
- 5e-55-35-55-55-56;
- 52-58-5f-55-55-5c;
- e8-be-5d-d3-55-58.
This should be fixed since 12.2(25)SEE and 12.1(22)EA7.
Best regards,
Antonin
11-16-2006 01:06 PM
amikat,
Your post makes a lot of sense.
I will try it, when I succesfully prove that was the solution you will receive a good rating from me.
Thank you very much.
11-16-2006 12:55 PM
Hi ,
Can you try out the below steps.
1. Remove the port security from the port and enabled it again
2. Clear the the MAC address table all secure addresses
Here is the information about the error message you got:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred caused by MAC [enet] on
port [chars].
This message means that an unauthorized device attempted to connect on a secure port. MAC [enet] is the MAC address of the unauthorized device, and port [chars] is the secure port.
Here is the configuration guideline for port security:
Understanding Port Security
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swt
rafc.htm#wp1042596
Hope it helps you.
Thanks,
satish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: