Solved: Re: The same MAC address appeared on multiple ports at the same time

Vencola · ‎01-03-2021

Hi everyone,

I have port security configured with a sticky MAC address on all switch access ports?

today and at the same second, I found that multiple ports get shut down due to MAC violation, the strange thing is that the violated MAC is the same on all ports and at the exact same time "the same second!", any explanation for this?

the MAC address starts with 0800.xx I don't know what is this MAC address.

show logging (as shown below shows that violation occurred at the same second"

"

Jan 3 09:15:26.978: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/22, putting Gi1/0/22 in err-disable state

Jan 3 09:15:26.990: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/1, putting Gi2/0/1 in err-disable state
Jan 3 09:15:26.993: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/14, putting Gi3/0/14 in err-disable state
Jan 3 09:15:27.000: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/23, putting Gi3/0/23 in err-disable state
Jan 3 09:15:27.004: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/15, putting Gi3/0/15 in err-disable state
Jan 3 09:15:27.017: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/2, putting Gi2/0/2 in err-disable state
Jan 3 09:15:27.023: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/3, putting Gi2/0/3 in err-disable state
Jan 3 09:15:27.028: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/9, putting Gi3/0/9 in err-disable state
Jan 3 09:15:27.031: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/5, putting Gi1/0/5 in err-disable state
Jan 3 09:15:27.044: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Jan 3 09:15:27.048: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/15, putting Gi1/0/15 in err-disable state
Jan 3 09:15:27.052: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/12, putting Gi1/0/12 in err-disable state
Jan 3 09:15:27.059: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/0/4, putting Gi3/0/4 in err-disable state
Jan 3 09:15:27.115: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/17, putting Gi1/0/17 in err-disable state

"

end of show logging.

show port security interface x/x/x shows that the exact same MAC address appears as the last source address on all the mentioned ports!

just a note: not all the ports are on the same VLAN

this is a stack switch, the model: C9200L-24T-4X. sw version:16.12.3a. SW image: CAT9K_LITE_IOSXE. mode: BUNDLE

any explanation for this would be much appreciated.. is this a bug or an attack or a different thing?

Georg Pauwen · ‎01-04-2021

Hello,

could be a bad NIC on one of the end devices. MAC addresses starting with 0800 could be from any vendor in the link below:

https://www.adminsub.net/mac-address-finder/0800

View solution in original post

paul driver · ‎01-04-2021

Hello

@Vencola wrote:
Can you confirm if the sticky mac address are statically or dynamically defined to each port?

The above doesnt suggest a loop?

Does this effect ALL ports in the switch stack or just those ports you have posted?
Is sticky mac address to each port statically or dynamically defined and when you applied the port-security was these changes saved.

Do you have any hard/soft phones attached to these ports?

sh port-security int xxx
sh run int x/x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Vencola · ‎01-10-2021

Actually I found the whole end devices connected to these ports generate a second MAC address during their restart, the Generated MAC address is the same.

View solution in original post

marce1000 · ‎01-03-2021

- You most likely have a network loop.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mohsin Alam · ‎01-03-2021

Most probably Network look causing the MAC FLAP
you can find the vendor from the mac address to isolate the issue if you use multi vendor devices.

## Make sure to mark post as helpful, If it resolved your issue. ##

Georg Pauwen · ‎01-04-2021

Hello,

could be a bad NIC on one of the end devices. MAC addresses starting with 0800 could be from any vendor in the link below:

https://www.adminsub.net/mac-address-finder/0800

paul driver · ‎01-04-2021

Hello

@Vencola wrote:
Can you confirm if the sticky mac address are statically or dynamically defined to each port?

The above doesnt suggest a loop?

Does this effect ALL ports in the switch stack or just those ports you have posted?
Is sticky mac address to each port statically or dynamically defined and when you applied the port-security was these changes saved.

Do you have any hard/soft phones attached to these ports?

sh port-security int xxx
sh run int x/x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Vencola · ‎01-10-2021

the Sticky MAC address is dynamically configured on all ports, I found the issue related to the end device (not a phone)

but may I ask why phones can generate this issue, as It happened once before on a port that is connected to a phone.

Vencola · ‎01-10-2021

Actually I found the whole end devices connected to these ports generate a second MAC address during their restart, the Generated MAC address is the same.

Georg Pauwen · ‎12-14-2021

Hello,

just out of curiosity, which devices are those ? Windows (10) ?

Vencola · ‎12-14-2021

Hello,

No, there are a USB to Ethernet converters, when they restart they generate a temporary MAC address for unknown reason.