Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2950 Port Security & Syslog

Hello,

Catalyst 3500 Switches are able to send a Syslog-Message, when they experience an unallowed access through a port, including the MAC-Adress of the NIC that attempted to connect.

Security violation occurred on module 0 port 1 caused by MAC address xxx.xxx.xxx

The 2950 just sends a message like that:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/21, putting Fa0/21 in err-disable state

I'd like to know the MAC-Adress, Does anyone know how to find it out via CLI?

2 REPLIES
New Member

Re: 2950 Port Security & Syslog

You can try using Port monitoring (SPAN). This feature allows to capture traffic that occurs between two ports.

The following link gives information on Port monitoring.

http://www.cisco.com/warp/public/473/41.html#span_cat2950_3550

This way you can sniff the traffic on the targetted port.

New Member

Re: 2950 Port Security & Syslog

Hello and thanks for the reply,

Maybe my first post was a bit unclear, but my intention is to get the MAC-Address of an unallowed access, to let this run against an external Database, where all allowed adresses are stored. If the adress is not in the Database, the port stays blocked. The Benefit of this Solution is a organisation-wide port-based Solution, maybe with different access levels (Port, Switch, everywhere) I plan to run this with a perl-script, which traces the Syslog. (SNMP would be ok too.) But, unlike the 3500 series, the 2950 doesn't generate a message with the MAC-Adress involved.

Any ideas?

112
Views
0
Helpful
2
Replies