Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
0
Helpful
4
Replies

Port security violation question

phil.g.james
Level 1
Level 1

‎07-04-2013 10:05 AM - edited ‎03-07-2019 02:14 PM

We have a number of Cisco 3560 switches which have port security set on them as follows:

switchport port-security maximum 3

switchport port-security

switchport port-security violation restrict

The ports would have a Cisco IPT phone and PC plugged into them.

we recently had an incident where the following error occured on two ports on two seperate switches, located on the same floor of the building.

PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address

This error kept coming up but only on two ports and with different MAC addresses which we traced as PCs coming from different floors of the building but in the same VLAN.

It looks like something may have been looped but BPDU Guard is set on these switches but did not shut the ports down.

It caused the core switches that connect to the above access switches to run with very high CPU usage, and caused very slow running on anyone connecting on the above VLAN. Other VLANS in the building were not affected.

Other that someone plugging an unauthorised Hub into these switches which we have discounted as no hub was found, what else could have caused this error?

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎07-05-2013 05:03 AM

Hello Phil,

That error message you have posted is truncated - it is not complete. The remained that was not posted may contain vital information about the reason. Do you happen to have the entire log message?

Best regards,

Peter

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎07-05-2013 05:13 AM

Hi Phil,

The fact that you see it on two different ports, and the violating MAC addresses are nowhere near this switch, means you are probably right in your conclusion that someone has looped the two ports through a non-STP switch or hub or maybe IP phone.  But you say you have BPDU guard on the two access ports, so one or other should have shut down.  So what could it be?

One possibility is that whatever has looped the two ports is passing traffic but filtering out the BPDUs.  That could happen, for example, if you have a malicious person who has taken a Cisco switch and put BPDU filter on two of its ports, and then used it to loop the two ports on your switch.

I presume you do not have BPDU filter on your own switch.  There was once a "best practices" document that recommended to do that but IMHO it is a real no-no.  BPDU filter effectively wipes out any protection you might have had from BPDU guard.  I only use BPDU filter when absolutely necessary for some corner-case.

Let us know how it works out.

Kevin DORRELL

CCIE #20765

Luxembourg

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎07-05-2013 05:16 AM

Just another thought .... check that the user has not connected the two ports of the IP phone to two ports of your switch.

0 Helpful

Deben Bhattarai
Level 1
Level 1

‎07-05-2013 12:21 PM

The error is caused due to port security violation..port learned more than 3 mac address.... hav u checked along with ipt what pc connected and is there any vm or virtual interfaces were configured and bridged with pc physical interface to get through network....

I have experienced such instance in past where users started hyperv or vm instance in pc and tried to acces lan...

Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card