Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
4
Helpful
7
Replies

port security problem

deniska2006
Level 1
Level 1

‎09-05-2006 07:22 PM - last edited on ‎03-25-2019 03:04 PM by Community Manager

Hi

We have Host A connected to switch SA and Host B connected to switch SB. Switches SA and SB connected to Catalyst 6509 via trunk with RSTP configured. There is no direct link between SA and SB. During initial IP Address acquisition (from DHCP which in different VLAN) Port on SA is being blocked by MAC address 0009.bbbc.cccc (6509 MSFC's MAC). And we had situation when port on SA was blocked by by MAC learned on SB (belongs to Host B).

This prob never occur during normal work or sturtup without DHCP request.

Is there any way out?

Please help.

Labels:
0 Helpful
7 Replies 7

o.hassairi
Level 1
Level 1

‎09-07-2006 01:11 AM

what error or log message did you get?

how did you note that Port on SA is being blocked by MAC address 0009.bbbc.cccc (6509 MSFC's MAC?

0 Helpful

deniska2006
Level 1
Level 1
In response to o.hassairi

‎09-07-2006 06:01 PM

SA log:

.Aug 30 07:39:16.554: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/6, putting Fa0/6 in err-disable state

.Aug 30 07:39:16.562: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0009.bxxx.xxxx on port FastEthernet0/6.

6500:

msfc6500#sh arp | i 0009.bxxx.xxxx

Internet 10.17.110.77 - 0009.bxxx.xxxx ARPA Vlan14

Internet 10.17.120.77 - 0009.bxxx.xxxx ARPA Vlan15

... and so on for each Vlan...

0 Helpful

deniska2006
Level 1
Level 1

‎09-07-2006 06:38 PM

The prom was that we forgot to exclude one of HSRP snandby IP Address from DHCP distribution range. That's why we see MSFC MAC on SA port, Host A was givven MSFC's IP. The reason why we see alien MAC on port (non MSFC) is the same. Host B had static IP and DHCP didn't know that. From now on we know why this's happened but we got another question to CISCO EXPERTS:

IS THIS A BUG OR FEATURE ? Is it the way cisco prevent IP address duplication?

TIA.

0 Helpful

rajinikanth
Level 3
Level 3
In response to deniska2006

‎09-07-2006 11:35 PM

Hi,

DHCP SERVER before leasing any ip address to clients it pings twice for checking whether the ip is already in use or not then only it leases that particular IP.

This way DHCP prevents ip addr duplication

HTH

Thanks

Raj

0 Helpful

deniska2006
Level 1
Level 1
In response to rajinikanth

‎09-08-2006 12:12 AM

to rajinikanth

We have MS DHCP.

RFC does not mention ICMP check, Microsoft neither. Could you give me a bit more information (may be link) so I could find out more about it.

TIA

0 Helpful

deniska2006
Level 1
Level 1
In response to rajinikanth

‎09-08-2006 07:17 PM

Thanks a lot

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card