Client MAC on native vlan in H-reap setup

Kasper Roholt · ‎01-12-2012

Hi

Just trying to figure out how LAP manage clients in a h-reap setup.

Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:

Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.

Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144

Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.

Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144

Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?

Any input to this?

Regards

Kasper

Stephen Rodriguez · ‎01-12-2012

So that error message:

%PORT_SECURITY-2-PSECURE_VIOLATION:

Security violation occurred caused by MAC [enet] on port [chars].

This message means that an unauthorized device attempted to connect on a secure port. MAC [enet] is the MAC address of the unauthorized device, and port [chars] is the secure port.

Can you share the switchport config, what VLAN the client is supposed to be in, and the current code your WLC is running?

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Kasper Roholt · ‎01-13-2012

Hereby switchport config:

!

interface FastEthernet0/42

description

switchport trunk encapsulation dot1q

switchport trunk native vlan 144

switchport mode trunk

switchport port-security maximum 25

switchport port-security

switchport port-security aging time 30

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust dscp

no snmp trap link-status

spanning-tree portfast

ip dhcp snooping limit rate 20

ip dhcp snooping trust

!

Clients are taged into vlan 721....It works OK.... I just wonder why clients MAC also are being seen on vlan 144.

Don't have the SW version yet...

Regards

Kasper

Kasper Roholt · ‎01-13-2012

Version on WiSM modules:

Primary Boot Image............................... Code 5.2.193.0 (active)

Regards

Kasper

Stephen Rodriguez · ‎01-13-2012

Does it only happen when the client first connects, or throught the day as the client is passing traffic?

The reason I was asking about the VLAN and code is there were a couple of defects where a client could be put on the native VLAN. CSCsy06464 CSCsz08148.

Other than one of those, unless the AP sent an untagged frame for some reason, it shoudln't be seen on the PVID.

The above and a few others i can't remember should be fixed in latest 6.0 or 7.0 codes. So I would try to upgrade a 'spare' WLC and put an AP over on it, and see if the issue persists.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered