11-29-2024 03:45 PM
A few days ago, I was contacted by our security department reporting several IP cameras were down. Upon inspection, I discovered 7 ports in an err_disable state. Looking at the logs, I found the following entries:
Nov 26 13:47:11 PST: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi7/0/30, putting Gi7/0/30 in err-disable state
Nov 26 13:47:11 PST: %PORT_SECURITY-2-PSECURE_VIOLATION_MAC_MOVE: Security violation occurred, caused by MAC address 0800.1011.9fe5 on port GigabitEthernet7/0/34 attempting to access port GigabitEthernet7/0/30.
Nov 26 13:47:12 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet7/0/30, changed state to down
I checked interface gi7/0/34 and found two different MAC addresses on the port. One address was the camera connected to that interface. The other was the MAC address listed in the log entry above. I shut/no shut each interface and they all came back up correctly. In checking interface gi7/0/34 following the shutdown, it only lists one MAC address.
any thoughts as to what occurred?
As a side note, all of the cameras are mounted in the ceiling with no easy physical access.
11-29-2024 04:09 PM
This Mac address 0800.1011.9fe5 does not belong to any vendor. Hard to say anything.
Was there any change on the network?
11-29-2024 04:12 PM
No network changes. I also discovered it was an invalid MAC. This is what makes it so mysterious.
11-29-2024 04:14 PM
Is this happening all throughout the network or just one (or a few) switches?
11-29-2024 04:16 PM
Just this one switch, and just this one incident. The switch has been up for about 2 months (a relatively new install replacing a C4506). The cameras have been in place for about 2 years.
11-29-2024 05:13 PM
If this happened to just one switch, please post the complete output to the command "sh version".
I want to see the firmware version, the model of the switch and the uptime.
11-29-2024 05:16 PM
Any possibility someone disconnected the camera connections and tried connecting another device?
What was the time interval between the various ports going disabled?
As to mystery MAC being from an unknown vendor, possibly it was a LAA MAC.
11-29-2024 09:46 PM
do
show port security address <<- check if the Mac is learn in other port SW different than g7/0/30
also share
show port secuirty interface g7/0/30
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide