Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security violations by Cisco AP's.

I have a question for the group. This is something new that has recently started occurring.

We are running WiSM's with 7.0.230.0 code.

We have a mix of 1232 , 1142,1252 on the campus.

The AP's effected appear to be 1232. In the past few weeks we have seen network ports for these AP's going to an error disable state.

This is not from static spped and duplex but from exceeding the maximun number of mac addresses. Currently we have that threshold set to 24.

The question is why has this started and why is it effecting the 1232 right now ? 

Michael

Threshold Alarm: err-disable port

FIRST EVENT DATE:        03/28/2012 11:59:12 AM (GMT-05:00) Eastern

Time

(US & Canada)

LAST EVENT DATE:         03/28/2012 11:59:12 AM (GMT-05:00) Eastern

Time

(US & Canada)

ALARM DATE:              03/28/2012 11:59:15 AM (GMT-05:00) Eastern

Time

(US & Canada)

CLASSIFICATION:          Warning

ALARM ID:                88355

PRIORITY:                23.00

DIRECTION:               Local

ORIGIN HOST:             hr5c1.xxx.xxx (10.xxx.xxx.xxx) *

EVENT COUNT:             1

IMPACTED HOST:           hr5c1.xxx.xxx (10.xxx.xxx.xxx) *

COMMON EVENT:            PM-4-ERR_DISABLE

ALARM RULE NAME:         err-disable port

Everyone's tags (4)
2 REPLIES

Re: Security violations by Cisco AP's.

Michael:

what is the mode of your AP? Local or anything else?

Having APs talk to WLC in a tunnel, AP sends to WLC from one Mac address and clients Mac addresses should be included inside the tunnel.

Is the affected port directly connected to the AP or or is connected to the Switch to which the AP is directly connected?

Having 1230 APs a bit old, this could possibly bug of compatibility but this needs more investigation to verify. We need to know what are the Mac addresses that cause the problem and what is the source.

Thanks

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: Security violations by Cisco AP's.

The AP mode is local and it is directly connected to the switch port in question

Building configuration...

Current configuration : 298 bytes
!
interface GigabitEthernet1/47
description wireless
switchport access vlan 798
switchport mode access
switchport port-security maximum 24
switchport port-security
snmp trap mac-notification change added
no snmp trap link-status
spanning-tree portfast
ip dhcp snooping limit rate 100
end

GigabitEthernet1/47 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet Port, address is 0011.2184.6e2e (bia 0011.2184.6e2e)

  Description: wireless

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000-TX

  input flow-control is off, output flow-control is off

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:31, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 2000 bits/sec, 3 packets/sec

     2168804 packets input, 242080618 bytes, 0 no buffer

     Received 502876 broadcasts (445252 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     47087248 packets output, 3312028112 bytes, 0 underruns

     0 output errors, 0 collisions, 13 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

hr5c1#sh logg | inc 1/47

000785: .Mar 22 15:17:00.630: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/47, putting Gi1/47 in err-disable state

000786: .Mar 22 15:17:00.630: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 24ab.815b.f7c4 on port GigabitEthernet1/47.

000787: 000025: .Mar 22 15:17:00.747: %PM-4-ERR_DISABLE: STANDBY:psecure-violation error detected on Gi1/47, putting Gi1/47 in err-disable state

000814: Mar 28 11:59:30.512: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/47, putting Gi1/47 in err-disable state

000815: Mar 28 11:59:30.512: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 50ea.d695.a57f on port GigabitEthernet1/47.

000816: 000026: .Mar 28 11:59:30.628: %PM-4-ERR_DISABLE: STANDBY:psecure-violation error detected on Gi1/47, putting Gi1/47 in err-disable state

hr5c1#

Internet  10.1.200.65           194   0011.93b7.fea9

688
Views
0
Helpful
2
Replies