cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
217
Views
0
Helpful
7
Replies

multiple ports in err_disable

A few days ago, I was contacted by our security department reporting several IP cameras were down.  Upon inspection, I discovered 7 ports in an err_disable state.  Looking at the logs, I found the following entries:

Nov 26 13:47:11 PST: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi7/0/30, putting Gi7/0/30 in err-disable state
Nov 26 13:47:11 PST: %PORT_SECURITY-2-PSECURE_VIOLATION_MAC_MOVE: Security violation occurred, caused by MAC address 0800.1011.9fe5 on port GigabitEthernet7/0/34 attempting to access port GigabitEthernet7/0/30.
Nov 26 13:47:12 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet7/0/30, changed state to down

I checked interface gi7/0/34 and found two different MAC addresses on the port.  One address was the camera connected to that interface.  The other was the MAC address listed in the log entry above.  I shut/no shut each interface and they all came back up correctly.  In checking interface gi7/0/34 following the shutdown, it only lists one MAC address.

any thoughts as to what occurred?

As a side note, all of the cameras are mounted in the ceiling with no easy physical access.

7 Replies 7

@gaylanddurrett3010 

This Mac address 0800.1011.9fe5 does not belong to any vendor. Hard to say anything.

 Was there any change on the network?

No network changes.  I also discovered it was an invalid MAC.  This is what makes it so mysterious.  

Leo Laohoo
Hall of Fame
Hall of Fame

Is this happening all throughout the network or just one (or a few) switches?

Just this one switch, and just this one incident.  The switch has been up for about 2 months (a relatively new install replacing a C4506).  The cameras have been in place for about 2 years.

If this happened to just one switch, please post the complete output to the command "sh version". 

I want to see the firmware version, the model of the switch and the uptime.  

Any possibility someone disconnected the camera connections and tried connecting another device?

What was the time interval between the various ports going disabled?

As to mystery MAC being from an unknown vendor, possibly it was a LAA MAC.

do 

show port security address <<- check if the Mac is learn in other port SW different than g7/0/30

also share 

show port secuirty interface g7/0/30

MHM

 

Review Cisco Networking for a $25 gift card