02-25-2013 03:06 AM - edited 03-07-2019 11:55 AM
Dear all,
This weekend i have experienced a really unusual behaviour on the network. It seems like 9 interfaces on different switches received the same MAC and because of that port-security turned shutdown this Interfaces. I discard the MAC spoofing and Virus because we have checked and all the Computers were down all the weekend.
Could be any possibility that almost all the switches of the network got troubles on his mac address-table and because of that the port-security turned shutdown the interfaces?
Thanks for your support,
A. Martín
EDIT: I forgot to add that this MAC it's the original MAC from a host of the network.
02-25-2013 03:59 AM
Do you have port-security configured in the Trunk?
Which IOS Version?
I never heart taht before, but u can check your mac-table with "sh mac address-table dynamic interface gig..."
How look your port-security config on the port?
02-25-2013 04:07 AM
Hello Sebastian,
I don't have the port-security on the trunks.
That's the version from all the Catalyst 2960S: Version 12.2(55)SE3
And that's the version from all the Catalyst 4500 L3: Version 15.0(2)SG1
Everything in the mac address-table is fine on all the switches. The attacker MAC just appears on the trunk interface because it's connected on another switch of the network.
I enabled all the interfaces again, and right now looks like this:
SAC#sh port-sec int Gi1/0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : XXXX.XXXX.XXXX
Security Violation Count : 0
In the "Last Source Address", appears the same MAC in all the violated interfaces.
Maybe i should invest the MAC spoofing again, all of this also seems pretty weird to me.
Thanks for your support!
02-25-2013 06:07 AM
This is not possible somebody has physically done that.
Well u can use
switchport port-security violation restrict
It will not let to port to shutdown else it will not allow other mac to do anything. It will only allow Binded MAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide