Cisco 3850 feeding an unmanaged switch mac address violation

NewToAllThis · ‎06-17-2021

I have a Cisco 3850 access switch feeding a GS305P netgear unmanaged switch. The GS305P has 4 cisco IP phones connected and then the users' computers connected to ethernet through each of the IP phones. So in theory, 4 phones + 4 PC + GS305P = 9 mac addresses. I'm receiving the below error constantly:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address

This is the configuration for the port on the 3850:

switchport access vlan 105
switchport mode access
switchport voice vlan 108
switchport port-security maximum 10
switchport port-security
spanning-tree portfast

I have tried "no switchport port-security" but it doesn't appear to do anything. As seen below, port security is still enabled, and the maximum mac address only shows 3.

switch(config-if)#no switchport port-security
switch(config-if)#do show port-security int gi1/0/47
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : xxxx:xxxx:xxxx:xxxx
Security Violation Count : 1184

My goal is to either disable port security on the port, or just for the port to allow like 10 mac addresses.

Any help is appreciated!

marce1000 · ‎06-17-2021

- If you want to test without port-security you may try default int gi1/0/47 first, in the configuration, then use a 'bare' config (without psec) , for instance.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

NewToAllThis · ‎06-17-2021

Upon defaulting and just doing access on 105 (wired) and voice on 108 (voice) and then showing port security it's still enabled and giving the violation.

interface GigabitEthernet1/0/47
switchport access vlan 105
switchport mode access
switchport voice vlan 108
end

switch(config-if)#do sho port-security int gi1/0/47

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan :xxxx.xxxx.xxxx.xxxx
Security Violation Count : 3667

marce1000 · ‎06-17-2021

- Very strange, what if for instance 100 addresses are allowed in a psec-config-situation ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎06-17-2021

Can you post :

show port-security interface gi 1/0/47

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎06-17-2021

i would suggest to int gi1/0/47 - make it as trunk with only VLAN allowed. (spanning-tree portfast - to be used only when the end device connected)

to see the issue debug and see what is wrong, i am sure port-sec bloking here.

as suggested you can defaul the interface and configure with out security and test, then add port-security.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NewToAllThis · ‎06-17-2021

I am defaulting the interface and still it is having port security enabled

switch(config-if)#default int gi1/0/47
Interface GigabitEthernet1/0/47 set to default configuration
switch(config)#do sho port-security int gi1/0/47
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 7486.0b8e.xxxx
Security Violation Count : 8669

196859: *Jun 17 15:43:21: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 7486.0b8e.4269 on port GigabitEthernet1/0/47.
196860: *Jun 17 15:43:26: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 7486.0b8e.4269 on port GigabitEthernet1/0/47.
196861: *Jun 17 15:43:32: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 7486.0b8e.4269 on port GigabitEthernet1/0/47.
196862: *Jun 17 15:43:38: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 7486.0b8e.4269 on port GigabitEthernet1/0/47.
196863: *Jun 17 15:43:43: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 7486.0b8e.4236 on port GigabitEthernet1/0/47.

balaji.bandi · ‎06-17-2021

show port-security interface gi 1/0/47

When you connecting to otehr switch suggest not to use voice and data vlan ( and Access port) use trunk port instead.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎06-18-2021

Hello,

try and add all three commands below manually in interface configuration mode:

--> no switchport port-security maximum

--> no switchport port-security mac-address sticky

--> no switchport port-security

NewToAllThis · ‎06-18-2021

There has to be something I'm missing as far as why I'm unable to disable port security

switch(config-if)#default int gi1/0/47
Interface GigabitEthernet1/0/47 set to default configuration
switch(config)#do sho run int gi1/0/47
Building configuration...

Current configuration : 39 bytes
!
interface GigabitEthernet1/0/47
end

switch(config)#int gi1/0/47
switch(config-if)#no switchport port-security maximum
switch(config-if)#no switchport port-security mac-address sticky
switch(config-if)#no switchport port-security
switch(config-if)#do sho port-security int gi1/0/47
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : xxxx.xxxx.xxxx
Security Violation Count : 478

switch(config-if)#do sho run int gi1/0/47
Building configuration...

Current configuration : 39 bytes
!
interface GigabitEthernet1/0/47
end

switch(config-if)#do term mon
switch(config-if)#
210812: *Jun 18 16:37:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 9c7b.ef73.511d on port GigabitEthernet1/0/47.
210813: *Jun 18 16:37:54: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 9c7b.ef73.511d on port GigabitEthernet1/0/47.

balaji.bandi · ‎06-18-2021

post - show port-security interface gi 1/0/47

i would like to see full show run config and show ver

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NewToAllThis · ‎06-18-2021

Here is the show port-security

switch#sho port-security int gi1/0/47
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 9c7b.ef73.511d:105
Security Violation Count : 3051

I am not comfortable posting the entire show run as there's some internal information, I am willing though to post a specific section if you could tell me what you're looking for

marce1000 · ‎06-18-2021

>There has to be something I'm missing as far as why I'm unable to disable port security

Check current software version being used on the 3850 too , use an advisory release , especially of the current running version is dated, check if that can help.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

NewToAllThis · ‎06-18-2021

This is current version, just upgraded not too long ago

Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, RELEASE SOFTWARE (fc3)

balaji.bandi · ‎06-18-2021

i would suggest to try below config :

1. remove the cable connected to otehr switch First

2. shutdown the port

3. clear port-security all

interface GigabitEthernet 1/0/47
switchport trunk native vlan 105   < if you like you have default vlan 1
switchport trunk allowed vlan 105,108   < allow data and voice vlan here if you use vlan 1 add vlan 1 )
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 10   <-- increase if you looking more
switchport port-security violation restrict
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security

unshut the port

connect the cable and test it

Let me how this goes.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help