cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

72671
Views
25
Helpful
8
Replies
Highlighted

Port Security violation, please help

Hi,

I've  got problem with port security on port Fast4/4. There is currently  Cisco IP phone 7961 connected and nothing else. I still get  PSECURE_VIOLATION. What can cause the problem? Please help. Thank you.

Here are my logs and configuration:

#show logging
Dec 27 10:21:05.631 CET: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa4/4, putting Fa4/4 in err-disable state
Dec  27 10:21:05.639 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 10:24:05.646 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4
Dec 27 13:14:51.073 CET: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa4/4, putting Fa4/4 in err-disable state
Dec  27 13:14:51.077 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 13:17:51.072 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4
Dec 27 14:32:39.083 CET: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa4/4, putting Fa4/4 in err-disable state
Dec  27 14:32:39.087 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 14:35:39.081 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4
Dec 27 15:16:59.369 CET: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa4/4, putting Fa4/4 in err-disable state
Dec  27 15:16:59.373 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 15:19:59.356 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4

#show mac address-table interface fasTEthernet 4/4
Unicast Entries
vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
412    0023.339c.e1cf    static ip,ipx,assigned,other FastEthernet4/4    

Multicast Entries
vlan    mac address     type    ports
-------+---------------+-------+--------------------------------------------
112    ffff.ffff.ffff   system Fa4/1,Fa4/2,Fa4/3,Fa4/4,Fa4/6,Fa4/9,Fa4/10
                                Fa4/11,Fa4/12,Fa4/14,Fa4/15,Fa4/17,Fa4/18
                                Fa4/33,Fa4/35,Fa4/40,Fa4/41,Fa4/43,Fa4/44
                                Fa4/45,Fa4/46,Fa4/47,Fa4/48,Fa5/48,Gi1/1
                                Gi1/2,Switch
412    ffff.ffff.ffff   system Fa4/1,Fa4/2,Fa4/3,Fa4/4,Fa4/6,Fa4/9,Fa4/10
                                Fa4/11,Fa4/12,Fa4/14,Fa4/15,Fa4/17,Fa4/18
                                Fa4/33,Fa4/35,Fa4/40,Fa4/41,Fa4/43,Fa4/44
                                Fa4/45,Fa4/46,Fa4/47,Fa4/48,Fa5/48,Gi1/1
                                Gi1/2,Switch


#show port-security interface fastEthernet 4/4
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 1 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0023.339c.e1cf:412
Security Violation Count   : 0


#interface FastEthernet4/4
switchport access vlan 112
switchport mode access
switchport voice vlan 412
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no logging event link-status
load-interval 60
qos vlan-based
no snmp trap link-status
tx-queue 3
   priority high
ip dhcp snooping limit rate 10
end

#show cdp neighbors fastEthernet 4/4
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
SEP0023339CE1CF  Fas 4/4           168             H P M  IP Phone  Port 1


#show power inline fastEthernet 4/4
Available:3700(w)  Used:685(w)  Remaining:3015(w)

Interface Admin  Oper            Power(Watts)     Device              Class
                            From PS    To Device                   
--------- ------ ---------- ---------- ---------- ------------------- -----

Fa4/4     auto   on         7.1        6.3        IP Phone 7961       2 

Interface  AdminPowerMax   AdminConsumption   
             (Watts)           (Watts)          
---------- --------------- --------------------

Fa4/4                 15.4                 15.4


#show ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(50)SG6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 23:12 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x11C3225C

ROM: 12.2(31r)SGA1
Dagobah Revision 226, Swamp Revision 34

cza-ua-12300a uptime is 34 weeks, 16 hours, 53 minutes
System returned to ROM by reload
System restarted at 21:28:42 CEST Mon May 3 2010
System image file is "bootflash:cat4500-ipbasek9-mz.122-50.SG6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of memory.
Processor board ID FOX1222GVRS
MPC8245 CPU at 266Mhz, Supervisor II+
Last reset from Reload
6 Virtual Ethernet interfaces
192 FastEthernet interfaces
2 Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2101

8 REPLIES 8
Rising star

Re: Port Security violation, please help

Try to disable port security and check how many mac-address are learned after 5 minutes, 10 minutes and 30 minutes.
In this way you can verify if the problem is the maximum number of mac.


from cisco doc:
When an IP phone is connected to a switch through the switchport configured for voice VLAN, the phone sends untagged CDP packets and tagged voice CDP packets. So the MAC address of the IP phone is learned on both the PVID and the VVID. If the appropriate number of secure addresses are not configured, you can get an error message.
You must set the maximum allowed secure addresses on the port to two (for IP phone) plus the maximum number of secure addresses allowed on the access VLAN in order to resolve this issue.

Regards.

Cisco Employee

Re: Port Security violation, please help

I have seen both versions in the Cisco Literature

When you enable port security on an interface that  is also configured with a voice VLAN, set the maximum allowed secure  addresses on the port to two. When the port is connected to a Cisco IP  phone, the IP phone requires one MAC address. The Cisco IP phone address  is learned on the voice VLAN, but is not learned on the access VLAN. If  you connect a single PC to the Cisco IP phone, no additional MAC  addresses are required. If you connect more than one PC to the Cisco IP  phone, you must configure enough secure addresses to allow one for each  PC and one for the phone.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swtrafc.html#wp1038501

Beginner

this is an old post but

this is an old post but related to my question:

 

We are cisco IP phones with 1 PC hanging off of it.

we are using port security with sticky mac:  basically everything works ok, but sometimes I can clear the port, but it just errors back out.

The port config is :

Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access

which is the same in the above post:

I will issue the clear arp, clear mac add d, clear port all, clear port stick interface (INT) then I go into conf t, then the interface, and do  shut, no shut.

it works 97% of the time.

what I mean is that it always clears the port, but the port will re-error out.

 

so I have to change the max from 2 to 4 and the access vlan and voice vlan from 1 to 2 and then it works fine.

 

any idea why?

Hi slotking22, first of all,

Hi slotking22,

 first of all, remember that port-security is defined by MAC & VLAN.

 Sometimes, when the Phone boots the Phone MAC is associated to the Data VLAN first and after that to the Voice VLAN ... if you use the 'maximum 2' you will reach a violation because you will have 3x MAC & VLAN info:

Phone MAC in Data VLAN

Phone MAC in Voice VLAN

PC in Data VLAN

 

 Because of that, it's recommended to use at least 'maximum 3' ... I personally use 'maximum 5'.

 

Hope this helps.

Cisco Employee

Re: Port Security violation, please help

Hey I think I figured what the poroblem is...

Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs

This example shows how to designate a maximum of one MAC address for a  voice VLAN (for a Cisco IP Phone, let's say) and one MAC address for the  data VLAN (for a PC, let's say) on Fast Ethernet interface 5/1 and to  verify the configuration:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fa5/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1 vlan voice
Switch(config-if)# switchport port-security maximum 1 vlan access
Switch(config-if)# end


Make sure you give the "voice" and "access" in the end.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/port_sec.html

Here's a random fact

Prior to Cisco IOS Release 12.2(31)SG, you required three MAC addresses as the maximum parameter to support an IP Phone and a PC. With Cisco IOS Release 12.2(31)SG and later releases, the maximum parameter must be configured to two, one for the phone and one for the PC.

Let me know how that works out for you.

Pls Rate the post if its helpful.


Here's another post on the CSC

https://learningnetwork.cisco.com/message/75452

Re: Port Security violation, please help

Hi,

I've tried to change Violation mode to "Restrict" and today I have got this:

#show port-security interface fastEthernet 4/4
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 1 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0023.339c.e1cf:412
Security Violation Count   : 3

#show logging

Dec  27 14:32:39.087 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 14:35:39.081 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4
Dec 27 15:16:59.369 CET: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa4/4, putting Fa4/4 in err-disable state
Dec  27 15:16:59.373 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.
Dec 27 15:19:59.356 CET: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa4/4
Dec  29 04:01:19.048 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security  violation occurred, caused by MAC address 0023.339c.e1cf on port  FastEthernet4/4.


On  Thursday, I am going to plug this phone to another port and will see.  If the problem persist I will replace that phone. I will let you know  the result. In meantime I will try to use sticky mac-address to see what MACs do that (dijohn's advice).

Thank you all for you responses.

Re: Port Security violation, please help

Hi,

Just some update. I've tried to configure sticky MAC address and I still get the same error and violation count is incrementing.

Dec 29 12:32:03.147 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0023.339c.e1cf on port FastEthernet4/4.

#show port-security int fast 4/4
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Restrict
Aging Time                 : 1 mins
Aging Type                 : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 3
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0023.339c.e1cf:412
Security Violation Count   : 5

#interface FastEthernet4/4
switchport access vlan 112
switchport mode access
switchport voice vlan 412
switchport port-security maximum 3
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0023.339c.e1cf vlan voice
no logging event link-status
load-interval 60
qos vlan-based
no snmp trap link-status
tx-queue 3
   priority high
ip dhcp snooping limit rate 10
end

Re: Port Security violation, please help

Problem solved.

There were no errors  on the switch port. But when I looked at the phone statistics I fount these:

Rx crcErr          00135361  (incrementing rapidly)

Rx alignErr        00001891

I didn't see anything on the switch (show int fast 4/4) but Rx crcErr were incrementing on the phone rapidly.

Wiring issues....

Thanks.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards