Solved: Re: Port Security Error

Eloy Pascal · ‎11-16-2006

I had a problem with a device that suddenly was disconnected by PortSecurity but there was no MAC Address change.

This is the logger:

Nov 15 21:12:02: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 5258.5f55.55c5 on port FastEthernet0/28.

Any help will be well thanked and rated!

amikat · ‎11-16-2006

Hi,

provided your box is Cat3550 you may be hitting CSCeg50665 bug with the following symptoms:

Randomly several times per day 3550 switches report port-security violations due to "ghost" MAC

addresses appearing randomly in the network. These MAC addresses result in error-disabled

ports (according to the configuration), but investigation indicates that these are phantom MAC

addresses, and no physical changes have occured nor PCs have been moved.

The addresses that we marked as ghost MAC addresses are almost always the same three:

- 5e-55-35-55-55-56;

- 52-58-5f-55-55-5c;

- e8-be-5d-d3-55-58.

This should be fixed since 12.2(25)SEE and 12.1(22)EA7.

Best regards,

Antonin

View solution in original post

ankbhasi · ‎11-16-2006

Hi Eloy,

Can you confirm what is connected on this switchport?

Ankur

Eloy Pascal · ‎11-16-2006

Ankbhasi,

I have connected a desktop PC to the switchport.

Both ports (on the switch and on the PC are autosensing)

Thanks.

amit-singh · ‎11-16-2006

Hi,

In addition to Ankur's post, Can you paste " show run interface fa 0/28" and "show port-security interface fa 0/28 ". Alo " show log "

-amit singh

Eloy Pascal · ‎11-16-2006

Hello Amit,

Here are de sh run's you asked for...

1)

Lev_Piso1A#sh run int fas 0/28

Building configuration...

Current configuration : 268 bytes

!

interface FastEthernet0/28

description Mildred Aragon

switchport access vlan 27

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 000d.561f.bca6

spanning-tree portfast

end

2)

Lev_Piso1A#sh port-security interface fastEthernet 0/28

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 1

Last Source Address : 000d.561f.bca6

Security Violation Count : 0

Thanks.

tdrais · ‎11-16-2006

This mean only the mac address that you have configured that ends with bca6 is allowed.

The error messages means it saw traffic with a mac address of 5258.5f55.55c5 on the port and locked it. Now your issue will be to find out how that mac address got on the port.

Either someone plugged in another device or the pc that has mac 000d.5611.bca6 can send packets with other mac addresses.

Eloy Pascal · ‎11-16-2006

tdrais,

I confirm to you that no one connected another device on the port. This message has appeared before, and it is always the same mac address.

I will tell you like the dead Doc on "I Robot" ?How that MAC address got on the port?

Thats the right question...

Thanks.

tdrais · ‎11-16-2006

This could be a software issue on the PC. I had a dual nic machine that at times would send broadcast packets out both nic interfaces with the same mac.

The nic card does not validate outgoing traffic. This "feature" is used by some denial of service attacks to overflow a switch mac table.

In your case it is most likely a just a bug.

Eloy Pascal · ‎11-16-2006

I confirm to you that the PC has no software or hardware whatsoever to generate another MAC Address (no virtual machines or double NICs) so that is not the problem.

The over flow service attack is not possible to happen because it is a restricted switch and has no connection whatsoever to the outside world (internet provider). It would have to be an inside attacker and we already covered our backs from that possible event.

Thanks tdrais.

amikat · ‎11-16-2006

Hi,

provided your box is Cat3550 you may be hitting CSCeg50665 bug with the following symptoms:

Randomly several times per day 3550 switches report port-security violations due to "ghost" MAC

addresses appearing randomly in the network. These MAC addresses result in error-disabled

ports (according to the configuration), but investigation indicates that these are phantom MAC

addresses, and no physical changes have occured nor PCs have been moved.

The addresses that we marked as ghost MAC addresses are almost always the same three:

- 5e-55-35-55-55-56;

- 52-58-5f-55-55-5c;

- e8-be-5d-d3-55-58.

This should be fixed since 12.2(25)SEE and 12.1(22)EA7.

Best regards,

Antonin

Eloy Pascal · ‎11-16-2006

amikat,

Your post makes a lot of sense.

I will try it, when I succesfully prove that was the solution you will receive a good rating from me.

Thank you very much.

smothuku · ‎11-16-2006

Hi ,

Can you try out the below steps.

1. Remove the port security from the port and enabled it again

2. Clear the the MAC address table all secure addresses

Here is the information about the error message you got:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred caused by MAC [enet] on

port [chars].

This message means that an unauthorized device attempted to connect on a secure port. MAC [enet] is the MAC address of the unauthorized device, and port [chars] is the secure port.

Here is the configuration guideline for port security:

Understanding Port Security

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swt

rafc.htm#wp1042596

Hope it helps you.

Thanks,

satish