Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19349
Views
4
Helpful
8
Replies

Port-security errors, but why?

Go to solution
Isegrimm24
Level 1
Level 1

‎07-08-2011 05:37 AM - edited ‎03-07-2019 01:08 AM

Hi, I have a 3750 switch with the following config on its ports:

interface FastEthernet1/0/33

description VoIP Phone & PC User

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,100

switchport mode trunk

switchport voice vlan 100

switchport port-security maximum 50

switchport port-security

switchport port-security violation restrict

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape  10  0  0  0

priority-queue out

mls qos trust dscp

auto qos voip trust

storm-control broadcast level 70.00

storm-control action shutdown

spanning-tree portfast trunk

end

When a user with a laptop plugs in on this port, I continuously get this error in the log:

Jul  8 14:35:57.372 utc: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.9bea.abe6 on port FastEthernet1/0/33.

The user is unable to access the network. Why is this? The way I see it, the violation should only occur when more than 50 unique mac-addresses are detected on this port, but this is in no way the case. When I disable port-security, the user can access the network.

This is not a single instance, but I tend to think it happens more with Dell laptops than with laptops from other brands.

Anyone seen this or has a clue on what might be happening here?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajasti
Level 1
Level 1

‎07-08-2011 10:24 AM

Anthony,

%PORT_SECURITY-2-PSECURE_VIOLATION:error is caused not only when mac addresses are exceeded but also when same mac-address being learnt on two ports. From the logs, do you see mac address '0021.9bea.abe6' being seen on any other port other than Fa1/0/33?

By default, aging time is disabled when port-security is enabled. If you think these laptops are mobile and being plugged into different ports, you can try setting up the aging time on the interfaces with port-security enabled.

3750(config-if)#switchport port-security
3750(config-if)#switchport port-security aging time 

More information at:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/command/reference/cli3.html#wp1948525

Hope this helps. Let me know, how it goes.

Regards,
AJ.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
p.mcgowan
Level 3
Level 3

‎07-08-2011 05:44 AM

You have configured port security on a trunk port. This is not allowed;

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s6.html#wp1033679

As you can see from the command reference, a secure port cannot be a trunk

Is there a particular reason you have a trunk configured?

If you only need voice and data on a pc you do not need to configure a trunk

Please rate this post if helpful

Go to solution
p.mcgowan
Level 3
Level 3
In response to p.mcgowan

‎07-08-2011 05:54 AM

If your IOS supports trunks you can check the status of the port security and the number of mac addresses learned on the interface;

show port-security interface fa1/0/33

show port security address will display all the secure mac addresses on the switch.

If you have maxed out you can clear the mac addresses with the following command:

clear port-security

0 Helpful

Go to solution
Isegrimm24
Level 1
Level 1
In response to p.mcgowan

‎07-08-2011 07:06 AM

We have voip desktop phones (alcatel) plugged between port and pc. The trunk is as it was configured when the voip phones were rolled out.

It is a working configuration, except in the case of some laptops which seem to be more Dell then anything else.

The number of mac-addresses learnt is in no way near the configured maximum and there is currently only one learnt address on this particular port.

I have removed the trunk from the port, but cannot test as the user with the Dell laptop has left already. We do not have many users with a Dell laptop...

0 Helpful

Go to solution
kevinm2264
Level 1
Level 1

‎07-08-2011 09:50 AM

Hi, probably the OS adapter settings. Try removing the validate checkbox on the peap settings.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Isegrimm24
Level 1
Level 1
In response to kevinm2264

‎07-11-2011 04:29 AM

Isn't that an option for wireless security (802.1x)? I've been searching for this in the wired connection properties, but there's nothing related to PEAP in there.

0 Helpful

Go to solution
ajasti
Level 1
Level 1

‎07-08-2011 10:24 AM

Anthony,

%PORT_SECURITY-2-PSECURE_VIOLATION:error is caused not only when mac addresses are exceeded but also when same mac-address being learnt on two ports. From the logs, do you see mac address '0021.9bea.abe6' being seen on any other port other than Fa1/0/33?

By default, aging time is disabled when port-security is enabled. If you think these laptops are mobile and being plugged into different ports, you can try setting up the aging time on the interfaces with port-security enabled.

3750(config-if)#switchport port-security
3750(config-if)#switchport port-security aging time 

More information at:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/command/reference/cli3.html#wp1948525

Hope this helps. Let me know, how it goes.

Regards,
AJ.
0 Helpful

Go to solution
Isegrimm24
Level 1
Level 1
In response to ajasti

‎07-11-2011 04:47 AM

That could be an issue, I know MAC-addresses can only exist on one port simultaneously but didn't realize learnt/dynamic mac-addresses are not automatically removed when inactive.

I have now configured the aging time from the default value of 0 to 5 (minutes), we'll see how it goes.

Thanks!

Go to solution
Isegrimm24
Level 1
Level 1
In response to Isegrimm24

‎07-25-2011 02:00 AM

It indeed appeared to be the problem. When you use port-security, MAC-addresses are kept indefinitely unless aging is configured.

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card