many MAC addresses on same port

Wassim Aouadi · ‎05-25-2012

Hi,

We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.
We asked the user, he said he only restarted his computer.

The MAC addresses happen to be existing MAC on the network.

How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively? Has anybody experienced this same issue?

Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:35 10.100.254.11 1454806: May 25 15:19:38.226 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.30f9 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:42 10.100.254.11 1454807: May 25 15:19:45.575 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.304a on port FastEthernet1/0/42.

Thanks,

Wass

Ivan Shirshin · ‎05-25-2012

Hi,

Are you sure it was PC connected there during the issue? Could it be switch or wireless access point plugged in there for short time?

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

Wassim Aouadi · ‎05-25-2012

Yes we're sure. Users have no right to insert whatsoever device into the network.

Reza Sharifi · ‎05-25-2012

There could also be that some one purchased a hub and connected to the network.

Wassim Aouadi · ‎05-25-2012

@Ivan and Reza: what you're saying is true in general, I agree with you. However, this particular user is one row away from my desk, I did not see him insert any device into the network. Besides, we collaborate on a trust basis since we are in the same department.

The issue appeared as soon as he restarted his computer. Does the switch keep a history of past known MAC addresses on a given port?

Reza Sharifi · ‎05-25-2012

Wass,

The switch does not keep track of past MAC addresses. You maybe able to look at the syslog server and find further info.

Does this person's system has only one NIC or multiple?

sajid_m123 · ‎05-25-2012

MAC address 6416.8dbb.930e belongs to Cisco

78e3.b58f.1011 belongs to HP

0018.1000.30f9 & belongs to IPTrade S.A

jong_r0602 · ‎05-25-2012

Hi,

Try to check if the PC is infected by virus that can caused MAC flooding.

Wassim Aouadi · ‎06-01-2012

Reza, there's only one NIC on the PC.

Jong, part of the coporate security policy is to have each PC scanned against viruses and updated with latest security patches, each night. Besides, each viral infection is reported to a central console. So this assumption is weak.

Wass