Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
3
Replies

Port-security troubles

alberto.martin
Level 1
Level 1

‎02-25-2013 03:06 AM - edited ‎03-07-2019 11:55 AM

Dear all,

This weekend i have experienced a really unusual behaviour on the network. It seems like 9 interfaces on different switches received the same MAC and because of that port-security turned shutdown this Interfaces. I discard the MAC spoofing and Virus because we have checked and all the Computers were down all the weekend.

Could be any possibility that almost all the switches of the network got troubles on his mac address-table and because of that the port-security turned shutdown the interfaces?

Thanks for your support,

A. Martín

EDIT: I forgot to add that this MAC it's the original MAC from a host of the network.

Labels:
0 Helpful
3 Replies 3

Sebastian Helmer
Level 5
Level 5

‎02-25-2013 03:59 AM

Do you have port-security configured in the Trunk?

Which IOS Version?

I never heart taht before, but u can check your mac-table with "sh mac address-table dynamic interface gig..."

How look your port-security config on the port?

0 Helpful

alberto.martin
Level 1
Level 1
In response to Sebastian Helmer

‎02-25-2013 04:07 AM

Hello Sebastian,

I don't have the port-security on the trunks.

That's the version from all the Catalyst 2960S: Version 12.2(55)SE3

And that's the version from all the Catalyst 4500 L3: Version 15.0(2)SG1

Everything in the mac address-table is fine on all the switches. The attacker MAC just appears on the trunk interface because it's connected on another switch of the network.

I enabled all the interfaces again, and right now looks like this:

SAC#sh port-sec int Gi1/0/3

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 1

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 1

Last Source Address:Vlan   : XXXX.XXXX.XXXX

Security Violation Count   : 0

In the "Last Source Address", appears the same MAC in all the violated interfaces.

Maybe i should invest the MAC spoofing again, all of this also seems pretty weird to me.

Thanks for your support!

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to alberto.martin

‎02-25-2013 06:07 AM

This is not possible somebody has physically done that. 

Well u can use

switchport port-security violation restrict

It will not let to port to shutdown else it will not allow other mac to do anything.  It will only allow Binded MAC.

Jawad
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card