05-25-2012 07:48 AM - edited 03-07-2019 06:54 AM
Hi,
We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.
We asked the user, he said he only restarted his computer.
The MAC addresses happen to be existing MAC on the network.
How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively? Has anybody experienced this same issue?
Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.
Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.
Syslog message generated from device SW_Etage1: May 25 15:17:35 10.100.254.11 1454806: May 25 15:19:38.226 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.30f9 on port FastEthernet1/0/42.
Syslog message generated from device SW_Etage1: May 25 15:17:42 10.100.254.11 1454807: May 25 15:19:45.575 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.304a on port FastEthernet1/0/42.
Thanks,
Wass
05-25-2012 07:56 AM
Hi,
Are you sure it was PC connected there during the issue? Could it be switch or wireless access point plugged in there for short time?
Kind Regards,
Ivan
**Please grade this post if you find it useful.
05-25-2012 09:03 AM
Yes we're sure. Users have no right to insert whatsoever device into the network.
05-25-2012 09:11 AM
There could also be that some one purchased a hub and connected to the network.
05-25-2012 09:23 AM
@Ivan and Reza: what you're saying is true in general, I agree with you. However, this particular user is one row away from my desk, I did not see him insert any device into the network. Besides, we collaborate on a trust basis since we are in the same department.
The issue appeared as soon as he restarted his computer. Does the switch keep a history of past known MAC addresses on a given port?
05-25-2012 09:36 AM
Wass,
The switch does not keep track of past MAC addresses. You maybe able to look at the syslog server and find further info.
Does this person's system has only one NIC or multiple?
05-25-2012 10:07 AM
MAC address 6416.8dbb.930e belongs to Cisco
78e3.b58f.1011 belongs to HP
0018.1000.30f9 & belongs to IPTrade S.A
05-25-2012 11:02 AM
Hi,
Try to check if the PC is infected by virus that can caused MAC flooding.
06-01-2012 12:45 AM
Reza, there's only one NIC on the PC.
Jong, part of the coporate security policy is to have each PC scanned against viruses and updated with latest security patches, each night. Besides, each viral infection is reported to a central console. So this assumption is weak.
Wass
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide