cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
0
Helpful
5
Replies

ip phone mac address changed and back again

Hello Bro,

             I have a case here that confused us here.

a switch port with connected ip phone in a voice vlan and pc connected through the ip phone in access vlan.

everyhting is going well but last night at 5:38AM "where no one in the office" this port went into errdiable state and the log was ...

<186>14483: May 24 2022 05:38:08: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0024.9733.822d on port GigabitEthernet1/0/28.

....

we are pretty sure no one was at the office to connect a violating device.

from the log and port configuration we can see the the actual ip phone mac address mostly similar to the violating mac address.

the ques. is that. is it possible for the device or the port to suddenly recieve a mac address that is not configured physically on the device ? check the below SHOWs for more details.

 

port config as follow:

-------------------------

interface GigabitEthernet1/0/28
description To PC and IP phone
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 5
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0024.14b3.822d vlan voice
switchport port-security mac-address sticky 509a.4c31.c1f9
switchport port-security
mls qos trust device cisco-phone
mls qos trust cos
spanning-tree portfast
end

----------------

EFTA-2960-6thEDG-21#sho int gi 1/0/28
GigabitEthernet1/0/28 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 00e1.6df6.411c (bia 00e1.6df6.411c)
Description: To PC and IP phone
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:20, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 143660
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 32000 bits/sec, 40 packets/sec
14615423 packets input, 3763755943 bytes, 0 no buffer
Received 1047329 broadcasts (798935 multicasts)
0 runts, 0 giants, 0 throttles
7 input errors, 6 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 798935 multicast, 0 pause input
0 input packets with dribble condition detected
186956470 packets output, 109963553742 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

-------------------------------------------

Transmit GigabitEthernet1/0/28 Receive
2578305623 Bytes 3763167257 Bytes
72489966 Unicast frames 13564965 Unicast frames
69444673 Multicast frames 798639 Multicast frames
44974129 Broadcast frames 248299 Broadcast frames
0 Too old frames 3651753230 Unicast bytes
0 Deferred frames 83435188 Multicast bytes
0 MTU exceeded frames 24004153 Broadcast bytes
0 1 collision frames 0 Alignment errors
0 2 collision frames 6 FCS errors
0 3 collision frames 0 Oversize frames
0 4 collision frames 0 Undersize frames
0 5 collision frames 0 Collision fragments
0 6 collision frames
0 7 collision frames 6969985 Minimum size frames
0 8 collision frames 3266240 65 to 127 byte frames
0 9 collision frames 1742434 128 to 255 byte frames
0 10 collision frames 731805 256 to 511 byte frames
0 11 collision frames 420424 512 to 1023 byte frames
0 12 collision frames 1481022 1024 to 1518 byte frames
0 13 collision frames 0 Overrun frames
0 14 collision frames 0 Pause frames
0 15 collision frames
0 Excessive collisions 1 Symbol error frames
0 Late collisions 0 Invalid frames, too large
0 VLAN discard frames 0 Valid frames, too large
0 Excess defer frames 0 Invalid frames, too small
15474336 64 byte frames 0 Valid frames, too small
100983585 127 byte frames
3430631 255 byte frames 0 Too old frames
1223793 511 byte frames 0 Valid oversize frames
548092 1023 byte frames 0 System FCS error frames
65248331 1518 byte frames 0 RxPortFifoFull drop frame
0 Too large frames
0 Good (1 coll) frames
0 Good (>1 coll) frames

5 REPLIES 5
Flavio Miranda
Advisor

Hi

 Check if the switch time is correct.  The most probably cause is someone connected another phone on this port.  Which IP phone is it? 

I dont believe it can espontaniously change its mac address.

the switch is is correct, checked it

MHM Cisco World
Advisor

check if some one plug Ip phone PC port to other SW port?

Roger Kallberg
VIP Mentor

That’s not very likely. From what I know a phone would not all of a sudden change the MAC address.



Response Signature


Ok, according to the books, mac address soesn't change just by itself we totally agree.

But, I noticed the port suffered from 6 FCS errors. Could these errors cause this sudden mac address change? How can i check the  times "if possible" of these errors? If occurence time met with the violation event time it will mean something? Offices are closed in this very early time to think of mistakenly plugged device.