ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
shadowman724
Junior Member
Posts:
59
Joined:
Thu Jun 23, 2011 11:49 am
Certs:
MCP, CCNA-R&S/V, CCNP, VCA-DCV/Cloud, SCP

many MAC addresses on same port

Fri May 25, 2012 9:51 am

Hi,
We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.
We asked the user, he said he only restarted his computer.
The MAC addresses happen to be existing MAC on the network.
How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively? Has anybody experienced this same issue?

Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:35 10.100.254.11 1454806: May 25 15:19:38.226 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.30f9 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:42 10.100.254.11 1454807: May 25 15:19:45.575 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.304a on port FastEthernet1/0/42.




Thanks,
Wass

Davidr
Senior Member
Posts:
485
Joined:
Wed Aug 24, 2011 1:43 am
Certs:
CCNP

Re: many MAC addresses on same port

Fri May 25, 2012 9:55 am

sounds like someone connected another switch to that port and connected some more pc.
or a wireless access.

go and check what is actually physically connected to the port.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: many MAC addresses on same port

Fri May 25, 2012 9:57 am

That first MAC, 6416.8dbb.930e, belongs to a Cisco device.

http://www.coffer.com/mac_find/?string=6416.8d

User avatar
shadowman724
Junior Member
Posts:
59
Joined:
Thu Jun 23, 2011 11:49 am
Certs:
MCP, CCNA-R&S/V, CCNP, VCA-DCV/Cloud, SCP

Re: many MAC addresses on same port

Fri May 25, 2012 11:12 am

Davidr, there is no other device plugged into the switch port.
Infinite, that link may be useful with port-security diagnostics. Thanks

User avatar
that1guy15
Post Whore
Posts:
3023
Joined:
Thu Apr 29, 2010 6:12 pm
Certs:
CCNP, CCDP, CCIP

Re: many MAC addresses on same port

Fri May 25, 2012 11:17 am

Yeah I second the AP being connected to the interface. If you checked it and nothing is connected besides a PC are you still getting the SEC errors?

Also have you checked his PC to see if he has a Virtual machine or VM software installed? Im not 100% about how macs are propagated/generated with this software but that could be it.
http://blog.movingonesandzeros.net/

User avatar
shadowman724
Junior Member
Posts:
59
Joined:
Thu Jun 23, 2011 11:49 am
Certs:
MCP, CCNA-R&S/V, CCNP, VCA-DCV/Cloud, SCP

Re: many MAC addresses on same port

Fri May 25, 2012 11:26 am

I had that first intuition too, That1guy15. User denied having VMs or any virtualization software.
The issue appeared as soon as he restarted his computer. Does the switch keep a history of past known MAC addresses on a given port?

User avatar
that1guy15
Post Whore
Posts:
3023
Joined:
Thu Apr 29, 2010 6:12 pm
Certs:
CCNP, CCDP, CCIP

Re: many MAC addresses on same port

Fri May 25, 2012 11:32 am

shadowman724 wrote: That1guy15. User denied having VMs or any virtualization software.


I hate to sound like a dick but end users lie or dont know what they are talking about sometimes! If you are still experiencing the issue then you need to go to the location that port terminates and asses the situation for your self. It might not have been this user but someone else could have connected an AP to the port without him knowing. IF you can remote into his system then I also suggest digging around and seeing what is installed and check logs.
http://blog.movingonesandzeros.net/

stuart475898
New Member
Posts:
43
Joined:
Tue Jun 14, 2011 12:55 pm
Certs:
CCNA

Re: many MAC addresses on same port

Fri May 25, 2012 5:12 pm

that1guy15 wrote:
shadowman724 wrote: That1guy15. User denied having VMs or any virtualization software.


I hate to sound like a dick but end users lie or dont know what they are talking about sometimes! If you are still experiencing the issue then you need to go to the location that port terminates and asses the situation for your self. It might not have been this user but someone else could have connected an AP to the port without him knowing. IF you can remote into his system then I also suggest digging around and seeing what is installed and check logs.


+1

Those MACs must have come from somewhere, the computer isn't just going to make them up. The first is Cisco, the second is HP, and the last two are from a company called IP Trade Networks who seem to manufacture IP phones.
www.ccnapractice.com - Randomly generated CCNA labs

User avatar
shadowman724
Junior Member
Posts:
59
Joined:
Thu Jun 23, 2011 11:49 am
Certs:
MCP, CCNA-R&S/V, CCNP, VCA-DCV/Cloud, SCP

Re: many MAC addresses on same port

Wed Jun 06, 2012 8:50 am

The first is Cisco, the second is HP, and the last two are from a company called IP Trade Networks who seem to manufacture IP phones.


these MAC addresses appeared because we previously connected such devices to the switch. But that was long ago.

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: many MAC addresses on same port

Wed Jun 06, 2012 8:54 am

MAC addresses don't just appear out of nowhere. They were there because someone connected a device with those MACs to the network.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: many MAC addresses on same port

Wed Jun 06, 2012 9:40 am

The typical age out timer on a layer 2 forwarding table is 5 minutes (Cisco and HP).

User avatar
baybars
Ultimate Member
Posts:
683
Joined:
Fri Mar 13, 2009 3:53 pm
Certs:
CCNA, CCNA Security, 642-902

Re: many MAC addresses on same port

Wed Jun 06, 2012 10:30 am

Everything happened in just 30 seconds? Connected 4 different devices? Can you post the interface configuration? And is there some type of mirroring?


And the maximum amount of aging time is approx 11 days.

'

Return to Cisco Security

Who is online

Users browsing this forum: MSNbot Media and 12 guests