07-04-2013 10:05 AM - edited 03-07-2019 02:14 PM
We have a number of Cisco 3560 switches which have port security set on them as follows:
switchport port-security maximum 3
switchport port-security
switchport port-security violation restrict
The ports would have a Cisco IPT phone and PC plugged into them.
we recently had an incident where the following error occured on two ports on two seperate switches, located on the same floor of the building.
PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
This error kept coming up but only on two ports and with different MAC addresses which we traced as PCs coming from different floors of the building but in the same VLAN.
It looks like something may have been looped but BPDU Guard is set on these switches but did not shut the ports down.
It caused the core switches that connect to the above access switches to run with very high CPU usage, and caused very slow running on anyone connecting on the above VLAN. Other VLANS in the building were not affected.
Other that someone plugging an unauthorised Hub into these switches which we have discounted as no hub was found, what else could have caused this error?
07-05-2013 05:03 AM
Hello Phil,
That error message you have posted is truncated - it is not complete. The remained that was not posted may contain vital information about the reason. Do you happen to have the entire log message?
Best regards,
Peter
07-05-2013 05:13 AM
Hi Phil,
The fact that you see it on two different ports, and the violating MAC addresses are nowhere near this switch, means you are probably right in your conclusion that someone has looped the two ports through a non-STP switch or hub or maybe IP phone. But you say you have BPDU guard on the two access ports, so one or other should have shut down. So what could it be?
One possibility is that whatever has looped the two ports is passing traffic but filtering out the BPDUs. That could happen, for example, if you have a malicious person who has taken a Cisco switch and put BPDU filter on two of its ports, and then used it to loop the two ports on your switch.
I presume you do not have BPDU filter on your own switch. There was once a "best practices" document that recommended to do that but IMHO it is a real no-no. BPDU filter effectively wipes out any protection you might have had from BPDU guard. I only use BPDU filter when absolutely necessary for some corner-case.
Let us know how it works out.
Kevin DORRELL
CCIE #20765
Luxembourg
07-05-2013 05:16 AM
Just another thought .... check that the user has not connected the two ports of the IP phone to two ports of your switch.
07-05-2013 12:21 PM
The error is caused due to port security violation..port learned more than 3 mac address.... hav u checked along with ipt what pc connected and is there any vm or virtual interfaces were configured and bridged with pc physical interface to get through network....
I have experienced such instance in past where users started hyperv or vm instance in pc and tried to acces lan...
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide