cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1454
Views
4
Helpful
16
Replies

security breach message on switch

AnaGRojas
Level 1
Level 1

Hello, good morning, several months ago, I got this message 

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.0100.00c1 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 4241.0454.94e2 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f661.b8c2.f69e on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0001 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.0100.0000 on port GigabitEthernet2/0/11.
 %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.06c3 on port GigabitEthernet2/0/11.

The message comes from different Macs that are not related to the ones saved on the stick.

this is the secure port configuration:

switchport access vlan 7
switchport mode access
switchport voice vlan 17
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky xxxx.xxxx.xxxx
switchport port-security mac-address sticky xxxx.xxxx.xxxx vlan voice
switchport port-security
spanning-tree portfast
spanning-tree bpduguard enable

These are the port security parameters:

Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 2
Last Source Address:Vlan : xxxx.xxxx.xxxx:17
Security Violation Count : 1799

and the count of security violations increases every minute, I don't understand why it increases in some ports and not in others.

I greatly appreciate your help and willingness.

1 Accepted Solution

Accepted Solutions

Hello, @nict y @Leo Laohoo I did the test to discard the phone and it's true, it wasn't that, it was the adapter or docking that converts the Ethernet cable to USB to the DELL laptop because when it is disconnected nothing arrives and when I reconnect it the message appears again. I appreciate everyone's time and willingness.

View solution in original post

16 Replies 16

nict
Level 1
Level 1

Hi @AnaGRojas 

Seems like that port is connected to a Switch or a hub.

That port security on your ports is configured for only 2 Max addresses (1 for Data and one for Voice).

You also configured "sticky", which means, that the first two MAC addresses seen on the port, is sthe only two which will be accepted on the port (For data and voice of course).

So from this informations, your port security is basically just doing its job, providing security on the interface and restricting the ports, since multiple different MAC adresses is seen on the port.

You properly need to find out, what is connected to your Gi2/0/11 port.

 

Edit:

Also, while looking at the violation output it says:

Last Source Address:Vlan : 0045.1d6b.34a0:172

You have configured sticky mac address for MAC "0045.1d6b.34a0" - the port for voice vlan 17, but the vlan seen is vlan 172.

 

hello, i' m sorry, I made a mistake in the vlan, it was 17. I have already returned the port to its default configuration and done everything again and the message still appears.

But what is actually connected to the port?

My suspicion would be, that it is a switch or a hub.

If it is a IP phone and a PC, it is possible the PC could have virtualization software (Like VMware) installed with machines running. If they are bridged, you could see the MAC adresses on the port as well, which would trigger the Port Security violation. 

What is connected to the port is a PC to an IP phone and that goes to the switch. Could you elaborate more on what you suspect, please.

Does the PC run any kind of virtualization software? Like VMware, HyperV with Virtual Machines?

It would be possible to see the MAC adresses from these Virtual Machines on the port.

and if you don't see any virtual machine, where could those other MAC ADDRESSES come from? Is it possible that they come from the phone? and the computer is a DELL.

If possible, can you disconnect the IP Phone, and connect the Dell PC directly into the switch, and see if you still have any issues?

If you still have issues, it suggest something on the PC is generating these MAC adresses. If the problem solves without the IP Phone connected, you have narrowed it down to the IP Phone being the problem (Which I don't think it is).

You are right, I will do my best to do that test and update you on the results.
thank you so much

Sounds great - Let me know how it goes.

Your welcome.


@AnaGRojas wrote:
and the computer is a DELL.

Is this a DELL laptop with a DELL/Lenovo docking station?

Yes, it's true, it's a DELL laptop connected to a DELL docking station because the person has an extra monitor. Could the different MACs that I get come from there?

It would be possible that you instead of seeing the DELL PC's MAC address, you would see the docking stations MAC address if it isn't configured for "MAC-passthrough".

The reason why I didn't ask about a docking station is because that you see alot of different MAC adresses from your output:

 

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.0100.00c1 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 4241.0454.94e2 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address f661.b8c2.f69e on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.0001 on port GigabitEthernet2/0/11.
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.0100.0000 on port GigabitEthernet2/0/11.
 %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0000.06c3 on port GigabitEthernet2/0/11.

 

All the MAC's are different, which indicates that is just not a docking station - At least not from my point of view.

Maybe Leo knows something that I don't - but this still indiciates to me, that the MAC adresses come from within the Dell PC. MAC adresses like these ain't "normal" MAC adresses. They look like Local adresses, which a virtual machine could have.

Hello, @nict y @Leo Laohoo I did the test to discard the phone and it's true, it wasn't that, it was the adapter or docking that converts the Ethernet cable to USB to the DELL laptop because when it is disconnected nothing arrives and when I reconnect it the message appears again. I appreciate everyone's time and willingness.

Glad that you found the root cause - And you are welcome.

 

Please rate comments if they were helpfull to you. Have a great day.

Review Cisco Networking for a $25 gift card