Solved: Port-security errors, but why?

Isegrimm24 · ‎07-08-2011

Hi, I have a 3750 switch with the following config on its ports:

interface FastEthernet1/0/33

description VoIP Phone & PC User

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100

switchport mode trunk

switchport voice vlan 100

switchport port-security maximum 50

switchport port-security

switchport port-security violation restrict

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

mls qos trust dscp

auto qos voip trust

storm-control broadcast level 70.00

storm-control action shutdown

spanning-tree portfast trunk

end

When a user with a laptop plugs in on this port, I continuously get this error in the log:

Jul 8 14:35:57.372 utc: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.9bea.abe6 on port FastEthernet1/0/33.

The user is unable to access the network. Why is this? The way I see it, the violation should only occur when more than 50 unique mac-addresses are detected on this port, but this is in no way the case. When I disable port-security, the user can access the network.

This is not a single instance, but I tend to think it happens more with Dell laptops than with laptops from other brands.

Anyone seen this or has a clue on what might be happening here?

ajasti · ‎07-08-2011

Anthony,

%PORT_SECURITY-2-PSECURE_VIOLATION:error is caused not only when mac addresses are exceeded but also when same mac-address being learnt on two ports. From the logs, do you see mac address '0021.9bea.abe6' being seen on any other port other than Fa1/0/33?

By default, aging time is disabled when port-security is enabled. If you think these laptops are mobile and being plugged into different ports, you can try setting up the aging time on the interfaces with port-security enabled.

3750(config-if)#switchport port-security
3750(config-if)#switchport port-security aging time 

More information at:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/command/reference/cli3.html#wp1948525

Hope this helps. Let me know, how it goes.

Regards,
AJ.

View solution in original post

p.mcgowan · ‎07-08-2011

You have configured port security on a trunk port. This is not allowed;

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s6.html#wp1033679

As you can see from the command reference, a secure port cannot be a trunk

Is there a particular reason you have a trunk configured?

If you only need voice and data on a pc you do not need to configure a trunk

Please rate this post if helpful

p.mcgowan · ‎07-08-2011

If your IOS supports trunks you can check the status of the port security and the number of mac addresses learned on the interface;

show port-security interface fa1/0/33

show port security address will display all the secure mac addresses on the switch.

If you have maxed out you can clear the mac addresses with the following command:

clear port-security

Isegrimm24 · ‎07-08-2011

We have voip desktop phones (alcatel) plugged between port and pc. The trunk is as it was configured when the voip phones were rolled out.

It is a working configuration, except in the case of some laptops which seem to be more Dell then anything else.

The number of mac-addresses learnt is in no way near the configured maximum and there is currently only one learnt address on this particular port.

I have removed the trunk from the port, but cannot test as the user with the Dell laptop has left already. We do not have many users with a Dell laptop...

kevinm2264 · ‎07-08-2011

Hi, probably the OS adapter settings. Try removing the validate checkbox on the peap settings.

Sent from Cisco Technical Support iPhone App

Isegrimm24 · ‎07-11-2011

Isn't that an option for wireless security (802.1x)? I've been searching for this in the wired connection properties, but there's nothing related to PEAP in there.

ajasti · ‎07-08-2011

Anthony,

%PORT_SECURITY-2-PSECURE_VIOLATION:error is caused not only when mac addresses are exceeded but also when same mac-address being learnt on two ports. From the logs, do you see mac address '0021.9bea.abe6' being seen on any other port other than Fa1/0/33?

By default, aging time is disabled when port-security is enabled. If you think these laptops are mobile and being plugged into different ports, you can try setting up the aging time on the interfaces with port-security enabled.

3750(config-if)#switchport port-security
3750(config-if)#switchport port-security aging time 

More information at:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/command/reference/cli3.html#wp1948525

Hope this helps. Let me know, how it goes.

Regards,
AJ.

Isegrimm24 · ‎07-11-2011

That could be an issue, I know MAC-addresses can only exist on one port simultaneously but didn't realize learnt/dynamic mac-addresses are not automatically removed when inactive.

I have now configured the aging time from the default value of 0 to 5 (minutes), we'll see how it goes.

Thanks!

Isegrimm24 · ‎07-25-2011

It indeed appeared to be the problem. When you use port-security, MAC-addresses are kept indefinitely unless aging is configured.

Thanks!