01-12-2012 03:21 AM - edited 07-03-2021 09:21 PM
Hi
Just trying to figure out how LAP manage clients in a h-reap setup.
Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?
Any input to this?
Regards
Kasper
01-12-2012 03:30 AM
So that error message:
%PORT_SECURITY-2-PSECURE_VIOLATION:
Security violation occurred caused by MAC [enet] on port [chars].
This message means that an unauthorized device attempted to connect on a secure port. MAC [enet] is the MAC address of the unauthorized device, and port [chars] is the secure port.
Can you share the switchport config, what VLAN the client is supposed to be in, and the current code your WLC is running?
Steve
01-13-2012 12:46 AM
Hereby switchport config:
!
interface FastEthernet0/42
description
switchport trunk encapsulation dot1q
switchport trunk native vlan 144
switchport mode trunk
switchport port-security maximum 25
switchport port-security
switchport port-security aging time 30
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
no snmp trap link-status
spanning-tree portfast
ip dhcp snooping limit rate 20
ip dhcp snooping trust
!
Clients are taged into vlan 721....It works OK.... I just wonder why clients MAC also are being seen on vlan 144.
Don't have the SW version yet...
Regards
Kasper
01-13-2012 01:56 AM
Version on WiSM modules:
Primary Boot Image............................... Code 5.2.193.0 (active)
Regards
Kasper
01-13-2012 04:41 AM
Does it only happen when the client first connects, or throught the day as the client is passing traffic?
The reason I was asking about the VLAN and code is there were a couple of defects where a client could be put on the native VLAN. CSCsy06464 CSCsz08148.
Other than one of those, unless the AP sent an untagged frame for some reason, it shoudln't be seen on the PVID.
The above and a few others i can't remember should be fixed in latest 6.0 or 7.0 codes. So I would try to upgrade a 'spare' WLC and put an AP over on it, and see if the issue persists.
HTH,
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide