Issue is happening on 2960s, and 2960Xs
I am seeing this error message in my log:
Jan 17 2021 19:04:28.725 CST: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/11, putting Gi1/0/11 in err-disable state
Jan 17 2021 19:04:28.730 CST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5c00.10ab on port GigabitEthernet1/0/11.
Jan 17 2021 19:04:29.731 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/11, changed state to down
On a port that is programmed as follows:
description Data D53 RM10-Lab
switchport access vlan 105
switchport mode access
no snmp trap link-status
storm-control broadcast level bps 1m 500k
storm-control action shutdown
no cdp enable
spanning-tree bpduguard enable
and after a shut no shut I see this for a show port-security address (notice the mac addresses don’t match)
105 54bf.645d.50e2 SecureDynamic Gi1/0/11
This is happening every couple weeks on different switches across many buildings. I have a feeling it is happening because the machine is entering hibernation and flaps after hours checking for updates, but does not happen all the time.
Thanks for responding marce!
I understand that the limit is set to one. What I don't understand is why only so few violations. I have 1000+ ports programmed the same way and receiving this error a couple times a month. I can logon to any given switch and see ports flapping after hours.
Would I be better off upping the limit to 2 or issue a restart after 5 mins? Seems to me that is defeating the purpose of using port security!
- The port-policy depends on your Intranet security requirements and needs. Single devices use on MAC and will have no problem with such a port. But as stated with other reply things become different when virtualization-solutions are behind a port , of a load-balancing setup is used with another device on the network, you must qualify port settings per case and accordingly.
The device connected to this port in question is a Dell PC. In the logs leading up to the violation I can see the port flap without issue. Just don't know why it randomly decides to throw a different MAC address.
This happens after hours with the school locked. I will check other building to see how close the "new MAC" address is.
Ref : https://macvendors.com/
When using this app , it is seen that the violating mac address belongs to this vendor : TELEMATICS INTERNATIONAL INC. -> This may help you in tracking and finding the particular device.
CST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5c00.10ab on port GigabitEthernet1/0/11.
This is because of MAC address changing port-security kick in and disabling the port
what is the device connected that port ? end device or switch ? or any esxi ?
post below output
#show port-security interface Gi1/0/11
configure below suggestion to fix the issue - test and advise.
#switchport port-security aging time
#switchport port-security maximum 3 ( you can allow more MAc address if required to miitgate the issue)
More information at:
*** Rate All Helpful Responses ***
securedyanmic without aging meaning the mac is not remove from port-security address table, and if you config max mac equal to 1 then this make port disable.
please config aging time to make SW remove the previous mac address and learn new one.