03-12-2019 04:08 AM
Hi,
I am having troubles with a switch stack that has ports that keep becoming errdisabled due to port security. Each switchport is connected to an Avaya phone which is then connected to a laptop, so there should be only 2 MAC addresses being learnt per port. Below is the config of one of the ports that became errdisabled and all user ports are configured identically:
interface GigabitEthernet1/0/31
description sp1-phone-user
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 80
switchport port-security maximum 5
switchport port-security aging time 1
switchport port-security
no logging event link-status
no logging event power-inline-status
trust device cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
And auto recovery is configured as follows:
errdisable recovery cause psecure-violation
errdisable recovery interval 1800
The switch stack config is as follows:
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL
2 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL
3 52 WS-C3650-48PD 03.06.04.E cat3k_caa-universalk9 INSTALL
And this is shown in the logs:
Mar 11 13:13:16.241: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/31, putting Gi1/0/31 in err-disable state
Mar 11 13:13:16.247: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 54e1.ad7e.7179 on port GigabitEthernet1/0/31.
Mar 11 13:43:16.245: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi1/0/31
We have this exact same setup (but with only 2 switches in the stack) in another office and we are not experiencing any problems there. Does anyone have an idea as to what could be causing it? Please let me know if any more information is required.
Cheers!
Solved! Go to Solution.
03-12-2019 05:34 AM
Hello @paolsolar-7
Could you provide output from: show mac address-table | inc 54e1.ad7e.7179
Check if this mac was learned from other ports on your switch, if yes, disable this port to clear the mac address and enable it again. After it, test your phone to new port.
I had this symptons months times ago, because the mac address already was learned by another port.
03-12-2019 04:41 AM
03-13-2019 08:11 AM
Hi
Thanks for the reply. I've asked if there were any VMs running on this machine and I've been told there aren't. Unfortunately in the office in question there is a local tech support guy who just re-patches the port as soon as it goes down, so running "show mac address-table interface gx/x/x" won't show anything unless I get to do it as soon as the issue is reported.
Thanks for your help, if you have any suggestions please let me know. In the meantime I've asked the local tech to not re-patch should this happen again so I can see what's happening as it happens. Will post an update when I get more information.
Cheers.
03-13-2019 08:46 AM
03-12-2019 05:34 AM
Hello @paolsolar-7
Could you provide output from: show mac address-table | inc 54e1.ad7e.7179
Check if this mac was learned from other ports on your switch, if yes, disable this port to clear the mac address and enable it again. After it, test your phone to new port.
I had this symptons months times ago, because the mac address already was learned by another port.
03-13-2019 08:14 AM
Hi Jaderson,
I've tried running that command but nothing is showing up, I presume the user has taken their laptop home or something. When I get another report of this I will run this command to see if the MAC is showing up elsewhere and post the results. Thanks for the information.
Cheers.
03-13-2019 08:54 AM
Great,
Please, if possible, mark all post as solved and helpful that were help you.
Regards,
03-13-2019 09:16 AM
It might provide some insight if the original poster would post the output of show mac address table for that port so that we can see how many mac addresses, and what mac addresses are associated with that port. Is it possible that there are too many mac addresses on the port, or is there something about the particular mac address? So perhaps one step in troubleshooting would be a periodic show mac address table looking for that particular mac address.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide