Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11798
Views
2
Helpful
5
Replies

Err-disabled vlan

Wassim Aouadi
Level 4
Level 4

‎07-14-2011 11:15 PM - edited ‎03-07-2019 01:13 AM

Hi,

I have the following config:

interface FastEthernet1/0/37

switchport access vlan 11

switchport mode access

switchport voice vlan 2222

switchport port-security maximum 4

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 58bc.2775.d83d vlan voice

ip access-group ACL_VLAN11 in

priority-queue out

mls qos trust cos

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 50

The problem is that the computer gets a "limited connectivity", when he launches Microsoft Virtual PC. On this software, there's a virtual computer with a different MAC address. So this counts for 2 MAC addresses (guest and host) on the access vlan.

A "show interface" gave the following:

TNSWACCS01A1#show interface fa1/0/37

FastEthernet1/0/37 is up, line protocol is up (connected) (vlan-err-dis)

  Hardware is Fast Ethernet, address is 0064.4009.6629 (bia 0064.4009.6629)

  Description: *****Aymen hafyenne-******

  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is 10/100BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:46, output 00:00:46, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 83

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 63000 bits/sec, 45 packets/sec

  5 minute output rate 61000 bits/sec, 44 packets/sec

     798295 packets input, 127873137 bytes, 0 no buffer

     Received 11322 broadcasts (7539 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 7539 multicast, 0 pause input

     0 input packets with dribble condition detected

TNSWACCS01A1#sh int statu err-disabled

Port      Name               Status       Reason               Err-disabled Vlans

Fa1/0/37  *****               connected    security-violation   11

any idea?

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Labels:
0 Helpful
5 Replies 5

p.mcgowan
Level 3
Level 3

‎07-15-2011 12:48 AM

looks like there is a security violation.

Have you maxed the number of MACs on the port?

you cna check this with the following command;

"show port-security address"

You might also want to try without the sticky command

Thsi guide explains more on port security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html

Wassim Aouadi
Level 4
Level 4
In response to p.mcgowan

‎07-15-2011 03:11 AM

yes I increased it already. I configured 4 MACs: two for voice plus two for access.

Why I chose two for access? because user has Microsoft Virtual PC with one host. So switch port will learn two MAC address on its access vlan.

user port has also dot1x configured. I thought that our switch asked for authentication. And since Machine authentication is configured on ACS, and Virtual PC is not machine-authenticated, it is not authorized:

Jul 14 10:43:54.714 UTC: dot1x-ev(Fa1/0/37): Sending event (2) to Auth Mgr for 0000.0000.0000

Jul 14 10:43:54.714 UTC: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/37 AuditSessionID 0A64FE0B0000012818AA3771

Jul 14 10:43:54.714 UTC: dot1x-ev(Fa1/0/37): Received Authz fail for the client  0x54000938 (0000.0000.0000)

Jul 14 10:43:54.714 UTC: dot1x-ev(Fa1/0/37): Deleting client 0x54000938 (0000.0000.0000)

Jul 14 10:43:54.714 UTC: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Fa1/0/37 AuditSessionID 0A64FE0B0000012818AA3771

Jul 14 10:43:54.714 UTC: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (Unknown MAC) on Interface Fa1/0/37 AuditSessionID 0A64FE0B0000012818AA3771

Jul 14 10:43:54.714 UTC: %AUTHMGR-5-FAIL: Authorization failed for client (Unknown MAC) on Interface Fa1/0/37 AuditSessionID 0A64FE0B0000012818AA3771

am I right?

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

p.mcgowan
Level 3
Level 3
In response to Wassim Aouadi

‎07-15-2011 03:38 AM

does this work if you remove the "switchport port-security mac-address sticky" command?

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to p.mcgowan

‎07-15-2011 09:21 PM 

switchport port-security maximum 2 vlan access


switchport port-security maximum 1 vlan voice


switchport port-security mac-address sticky


switchport port-security mac-address sticky 58bc.2775.d83d vlan voice

Wow.  That's very, very strict.  Can I buy a vowel? 

0 Helpful

Wassim Aouadi
Level 4
Level 4
In response to p.mcgowan

‎07-22-2011 03:35 AM

I did a "clear port-sec sticky interface..." and it did not solve the problem.

Leo, security policies in my company are tight

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents