Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3791
Views
0
Helpful
15
Replies

Port security detecting two MACs on 1 machine.

btenney
Level 1
Level 1

‎11-10-2003 10:57 AM - edited ‎03-02-2019 11:35 AM

I am using port security on several 2950 switches to prevent unauthorized moves on the network. Currently, there are several hundred computers that do not have a problem. Here is my current config for each port:

Version 12.1(19)EA1

switchport mode access

switchport port-security

switchport port-security maximum 1

switchport port-security violation shutdown

switchport port-security mac-address sticky

I am working with two users who each have old laptops (the only thing I can see in common). Their ports keep getting shutdown due to MAC address violations. The users swear up and down that their computers have NOT moved or been uplugged. I reset the secure MAC on one port and the user was able to work about 30 minutes before being locked out again. Indeed, it does show a different MAC address as "last source address". I even have eye witnesses (manager's sitting by desk) saying they saw nobody at his desk.

Now, is there a chance something on the computer would cause the MAC address to change? He does have a modem, but I don't see this causing problems. I am very confused why only these two computers would be having problems. Honestly, I don't think the users are trying to pull a fast one.

Since I have changed the max count to 2, I have not seen another MAC address show up on that port. I'm sure if I put it down to 1 again, it will lock out eventally.

Anybody ran into this before?

Thanks.

Brett

Labels:
0 Helpful
15 Replies 15

Harold Ritter
Cisco Employee
Cisco Employee

‎11-10-2003 11:20 AM

Any chance they could be running a DECNET stack on these two workstations. DECNET is known to change the burnt in mac address to something starting with AA00.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

btenney
Level 1
Level 1
In response to Harold Ritter

‎11-10-2003 01:13 PM

Thanks for the reply. They are not using DECNET. I will try to monitor the situation some more and see what I can come up with.

0 Helpful

btenney
Level 1
Level 1
In response to Harold Ritter

‎11-10-2003 01:17 PM

Thanks for the reply. They are not using DECNET. I will try to monitor the situation some more and see what I can come up with. It is possible I'm missing some kind of information. I need to find where these other macs are coming from. This isn't a huge deal since it is only two computers having problems. I already have a workaround by setting the max to 2 although no new macs have showed up in the config as of yet.

0 Helpful

jeremy-keen
Level 1
Level 1

‎11-10-2003 03:31 PM

If the laptops have "full" docking stations, there will be a seperate MAC for the NIC in the dock and a different MAC for the laptop (PCMCIA/motherboard) NIC. If they are toggling between the dock and the laptop you will see 2 different MAC addresses.

Cheers,

Jeremy Keen

0 Helpful

robho
Level 3
Level 3

‎11-10-2003 06:16 PM

You may want to check to see if there are any intermediate devices between the workstation and the switchport. I have seen in the past, users plugging a switch/hub to their drop.

Better yet, you may also want to SPAN the port to see what is causing this. For the 2950, make sure it is running at least 12.1(11)EA1 before using that feature.

0 Helpful

btenney
Level 1
Level 1
In response to robho

‎12-10-2003 09:39 AM

I had 3 switches stop responding to telnet for some reason so I think there was a problem with the new code. I downgraded to 12.1(12c)EA1 and we haven't had a problem since. Downgrading was the solution.

0 Helpful

btenney
Level 1
Level 1

‎12-10-2003 09:40 AM

I had 3 switches stop responding to telnet for some reason so I think there was a problem with the new code. I downgraded to 12.1(12c)EA1 and we haven't had a problem since. Downgrading was the solution.

0 Helpful

btenney
Level 1
Level 1
In response to btenney

‎12-10-2003 09:48 AM

By the way, this problem WAS occuring on about 6 computers in different offices. After downgrading and reenabling port security everything works with out problem. Before they were getting locked out within a half hour everyday.

0 Helpful

vishal.bhat
Level 1
Level 1

‎12-15-2003 04:18 AM

hi brett

well this is a unique problem

u can do one thing

put a different pc in place of an olsd laptop for a while and put max count to 1 only

and observe then

check for any static entry in ur mac table also

i guessa faulty lan card is the problem

i hope u get the solution

0 Helpful

t.fiala
Level 1
Level 1
In response to vishal.bhat

‎12-15-2003 04:41 AM

Hi,

I've seen this problem many times. It usually looks like this:

mac-address sticky 0000.002a.b4c7

mac-address sticky 0000.00bb.b4c7

mac-address sticky 0000.b4c7.8505

Only one MAC was correct, the others were derrived and false. Until now has always fixed this failure a new NIC.

Tomas

0 Helpful

btenney
Level 1
Level 1
In response to t.fiala

‎01-13-2004 11:06 AM

After a month or so of testing, port security issues still exist in 12.1(12c)EA1 (although false triggers have slowed). Seems to be about 1 out of 100 computers or so. I set the violation to "restrict" to monitor the situation and alleviate the users frustrations of being shutoff every 30 min or so during the workday. Here is some interesting results I see in the log history. This log is over the course of 24 hours since I changed it to restrict.

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 00e0.988a.7ee6

no ip address

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

Fa0/1 1 1 3 Restrict

2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by

MAC address 5463.0007.eb9e on port Fa0/1.

2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by

MAC address 0000.0007.eb9e on port Fa0/1.Invalid address secure address

2w4d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by

MAC address 3a20.0007.eb9e on port Fa0/1.Invalid address secure address

Notice how all 3 violating MACS have similarities. Nobody can tell me that this is 3 different machines. Since replacing all the NICs is not an option, setting the violation to "restrict" seems to be the workaround although it will shut down int temp throughout the day. Port security is absolutly needed.

Thanks for the response Thomas.

0 Helpful

teru-lei
Level 1
Level 1
In response to btenney

‎01-14-2004 06:51 AM

have you checked if there is any virus in the computers? maybe there is virus so that the virus send packet with dummy mac-address.

0 Helpful

dmosher35
Level 1
Level 1
In response to btenney

‎11-01-2010 01:57 PM

If those are the actual MAC addreses, the MAC picked up by Stcky is a broadband router. Any MAC it tries to pass through will be a security violation. Also when you have multiple machine mcas on on physical machine make sure they are not running a VM on the machine.

0 Helpful

ghoward
Level 1
Level 1

‎01-20-2004 02:15 PM

We are having the same problem with a couple of our 2950's. All are running 12.1(14)EA1a. Did you ever get any responses to this posting? We have a question out to our local SE to see if he can find any information. How did you get around this problem?

0 Helpful
Customers Also Viewed These Support Documents