Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port-Security affecting IP Phones.

I know that this issue sounds a little awkward, but we are facing a strange problem in one of our vlan's.

Some port-security events are ocurring randomly in this pile (4 computers already faced this problem) and after a while having port-security messages some IP Phones of the same VLAN start to have problems.

We are using some Cisco 7965 as a switch to computers connected to them, and after getting these port-security messages the phone stops sending the access vlan ("blocks" computers communication) but still working on its vlan (voice vlan). The computer gets disconnected and only after rebooting the phone it reconnects and start to work again. The other computers without an IP phone in between are working fine.

I've already tried to put a computer in the same conditions (with a 7965 Phone in the middle) outside that switch pile (in my desk) but in the same VLAN and it shows same problem, all of them disconnect at same time., and if i change the vlan it stops.

This is the switch pile were it all started and were this VLAN is majorly configured:

######################

SWBRJGS047#sh ver

Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Wed 21-Apr-10 04:49 by prod_rel_team

Image text-base: 0x01000000, data-base: 0x02C00000

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

SWBRJGS047 uptime is 29 weeks, 3 hours, 42 minutes

System returned to ROM by power-on

System restarted at 04:04:41 BRA Tue Feb 26 2013

System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C3750G-48TS (PowerPC405) processor (revision E0) with 131072K bytes of memory.

Processor board ID FOC1051Y6JD

Last reset from power-on

2 Virtual Ethernet interfaces

208 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : 00:1A:A2:4C:D6:00

Motherboard assembly number     : 73-10218-08

Power supply part number        : 341-0107-01

Motherboard serial number       : FOC10492Q7M

Power supply serial number      : AZS1045091A

Model revision number           : E0

Motherboard revision number     : C0

Model number                    : WS-C3750G-48TS-S

System serial number            : FOC1051Y6JD

Top Assembly Part Number        : 800-26857-01

Top Assembly Revision Number    : B0

Version ID                      : V03

CLEI Code Number                : CNMWU00ARC

Hardware Board Revision Number  : 0x09

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 52    WS-C3750G-48TS     12.2(53)SE2           C3750-IPBASEK9-M

     2 52    WS-C3750G-48TS     12.2(53)SE2           C3750-IPBASEK9-M

     3 52    WS-C3750G-48TS     12.2(53)SE2           C3750-IPBASEK9-M

     4 52    WS-C3750G-48TS     12.2(53)SE2           C3750-IPBASEK9-M

Switch 02

---------

Switch Uptime                   : 29 weeks, 3 hours, 37 minutes

Base ethernet MAC Address       : 00:1A:A2:47:28:80

Motherboard assembly number     : 73-10218-08

Power supply part number        : 341-0107-01

Motherboard serial number       : FOC105141K7

Power supply serial number      : AZS104508R7

Model revision number           : E0

Motherboard revision number     : C0

Model number                    : WS-C3750G-48TS-S

System serial number            : FOC1051Y6GH

Top assembly part number        : 800-26857-01

Top assembly revision number    : B0

Version ID                      : V03

CLEI Code Number                : CNMWU00ARC

Switch 03

---------

Switch Uptime                   : 29 weeks, 3 hours, 37 minutes

Base ethernet MAC Address       : 00:1A:A2:24:26:80

Motherboard assembly number     : 73-10218-08

Power supply part number        : 341-0107-01

Motherboard serial number       : FOC10511L64

Power supply serial number      : FXD10170092

Model revision number           : E0

Motherboard revision number     : C0

Model number                    : WS-C3750G-48TS-S

System serial number            : FOC1051Y59Y

Top assembly part number        : 800-26857-01

Top assembly revision number    : B0

Version ID                      : V03

CLEI Code Number                : CNMWU00ARC

Switch 04

---------

Switch Uptime                   : 29 weeks, 3 hours, 37 minutes

Base ethernet MAC Address       : 00:22:0D:A0:CB:00

Motherboard assembly number     : 73-10218-08

Power supply part number        : 341-0107-01

Motherboard serial number       : FOC12255NU7

Power supply serial number      : AZS121903M0

Model revision number           : F0

Motherboard revision number     : C0

Model number                    : WS-C3750G-48TS-S

System serial number            : FOC1226Z19T

Top assembly part number        : 800-26857-02

Top assembly revision number    : A0

Version ID                      : V04

CLEI Code Number                : COM7X10ARA

Configuration register is 0xF

######################

Below the configuration of the last faulty switchport:

interface GigabitEthernet3/0/39

switchport access vlan 122

switchport mode access

switchport voice vlan 199

switchport port-security maximum 5

switchport port-security

switchport port-security aging time 5

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast

spanning-tree bpduguard enable

end

######################

The logs are like this (unforunately had some problems with the file i've saved the original logs and now the buffer is gone):

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC addr ess

A lot of port-secutity like this with dummy macs until it reaches its maximum (5), then the port gets disconnected and the port-security stops.

We sent a techinician there to check those computers and they all seem to be good, no antivirus logs or suspicious softwares.

Last time it happened after worktime with no one there... pretty strange.

#######################

Port security on that port:

SWBRJGS047#sh port-security interface gi3/0/39

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Restrict

Aging Time                 : 5 mins

Aging Type                 : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 5

Total MAC Addresses        : 0

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 782b.cbc0.514f:122

Security Violation Count   : 0

Another strange thing is that if i do a SH PORT-SECURITY and check the counters of this interface i get

   Gi3/0/39              5            0                  0         Restrict

As if nothing happened.

Thanks in advance.

Daniel

3 REPLIES
New Member

Port-Security affecting IP Phones.

Another interesting info is how many input and crc errors that port generated:

SWBRJGS047#sh int gi3/0/39

GigabitEthernet3/0/39 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet, address is 001a.a224.26a7 (bia 001a.a224.26a7)

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:11, output hang never

  Last clearing of "show interface" counters 1w0d

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 22000 bits/sec, 23 packets/sec

     5038316 packets input, 13206895772 bytes, 0 no buffer

     Received 531194 broadcasts (520189 multicasts)

     150634 runts, 406410 giants, 0 throttles

     7773196 input errors, 7285069 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 520189 multicast, 0 pause input

     0 input packets with dribble condition detected

     10983415 packets output, 6984224471 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

Re: Port-Security affecting IP Phones.

Do these pcs also have wireless nics enabled?

Sent from Cisco Technical Support iPad App

New Member

Hi,I apologize for bringing

Hi,

I apologize for bringing this old post back, but I wonder if you ever found a root cause.

I'm facing a very similar issue.

Thanks

450
Views
0
Helpful
3
Replies