Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2646
Views
10
Helpful
2
Replies

errors port-security Security violation occurred

Go to solution
BorislavPenchev0962
Level 3
Level 3

‎10-08-2020 07:49 AM - edited ‎10-08-2020 07:51 AM

hi all

we have a stack of C3650 running 16.6.4a

and experienced the following errors for both ports Gi2/0/2 and Gi1/0/2 during the night:

 

%PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/2, putting Gi2/0/2 in err-disable state

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address "telephone" on port GigabitEthernet2/0/2

%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi2/0/2

 

this has been repeating for several hours causing short interruptions while using the phones;

in order to resolve the issue we did - no port security for both ports;

as per user there are no PC/Laptops connected;

what else we may check ?

 

here some outputs:

#sh run int Gi2/0/2
Building configuration...

Current configuration : 458 bytes
!
interface GigabitEthernet2/0/2
description Telephones
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security maximum 3
switchport port-security aging time 10
switchport port-security aging type inactivity
no logging event link-status
no cdp enable
no snmp trap link-status
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 20
ip dhcp snooping trust
end

 

sh run int Gi1/0/2
Building configuration...

Current configuration : 458 bytes
!
interface GigabitEthernet1/0/2
description Telephones
switchport access vlan 300
switchport mode access
switchport nonegotiate
switchport port-security maximum 3
switchport port-security aging time 10
switchport port-security aging type inactivity
no logging event link-status
no cdp enable
no snmp trap link-status
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 20
ip dhcp snooping trust
end

 

=========================

sh port-security interface Gi2/0/2
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0080.9ff4.aaa
Security Violation Count : 1254

 

sh port-security interface Gi1/0/2
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 10 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0080.9ffc.aaa
Security Violation Count : 504

 

Regards

Boris

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
BorislavPenchev0962
Level 3
Level 3
In response to pieterh

‎10-09-2020 07:37 AM - edited ‎10-12-2020 12:38 AM

hi ,

 

l guess most of the questions above were valid in case if there is IP phone directly connected;

l found out that on these ports Gi1/0/2" also Gi2/0/2 are directly connected phone DECT system to which the phones are directly connected;

phones are not Cisco but Avaya - that's why we use "no cdp enable"

 

on other ports Gi2/0/3 for example; we have same scenario but no issues;

 

View solution in original post

2 Replies 2

Go to solution
pieterh
VIP
VIP

‎10-09-2020 02:26 AM - edited ‎10-09-2020 02:29 AM

important question "what has changed overnight" ?

 

switchport port-security maximum 3
-> try "show mac address-table interface Gi1/0/2" also for Gi2/0/2 to check if this limit is reached 
and what MAC addresses are found there
also check no loop is connected between both ports 

 

some other port settings draw my attention

- ip dhcp snooping trust -> this means there is a trusted DHCP server reachable via this port ; why would you do this for an IP-phone?
- switchport nonegotiate -> no need for a port already configured as an access port
- no mdix auto -> not neccessary 
only neccessary for "old equipment" where router-router, router-switch, switch-switch, switch-endpoint
needed straight or crossed cabling, nowadays mostly straight cabling is used in combination with mdix auto
for client devices it's of no use to disable this

if the phones are Cisco IP-phones
- no cdp enable ->  enable cdp
- switchport access vlan 300 -> no voice vlan defined on purpose?

0 Helpful

Go to solution
BorislavPenchev0962
Level 3
Level 3
In response to pieterh

‎10-09-2020 07:37 AM - edited ‎10-12-2020 12:38 AM

hi ,

 

l guess most of the questions above were valid in case if there is IP phone directly connected;

l found out that on these ports Gi1/0/2" also Gi2/0/2 are directly connected phone DECT system to which the phones are directly connected;

phones are not Cisco but Avaya - that's why we use "no cdp enable"

 

on other ports Gi2/0/3 for example; we have same scenario but no issues;

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card