Hi,
We got a bunch of port-sec violations on port fa1/0/42. after checking logs, we noticed that the MAC address responsible for generating the alert was not one, but many.
We asked the user, he said he only restarted his computer.
The MAC addresses happen to be existing MAC on the network.
How is it possible that a port-sec violation is made by many MAC addresses on the same port, successively? Has anybody experienced this same issue?

Syslog message generated from device SW_Etage1: May 25 15:17:08 10.100.254.11 1454802: May 25 15:19:11.693 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6416.8dbb.930e on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:29 10.100.254.11 1454805: May 25 15:19:32.874 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 78e3.b58f.1011 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:35 10.100.254.11 1454806: May 25 15:19:38.226 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.30f9 on port FastEthernet1/0/42.

Syslog message generated from device SW_Etage1: May 25 15:17:42 10.100.254.11 1454807: May 25 15:19:45.575 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0018.1000.304a on port FastEthernet1/0/42.




Thanks,
Wass

sounds like someone connected another switch to that port and connected some more pc.
or a wireless access.

go and check what is actually physically connected to the port.

That first MAC, 6416.8dbb.930e, belongs to a Cisco device.

http://www.coffer.com/mac_find/?string=6416.8d

_________________
blog.brokennetwork.ca

Davidr, there is no other device plugged into the switch port.
Infinite, that link may be useful with port-security diagnostics. Thanks

Yeah I second the AP being connected to the interface. If you checked it and nothing is connected besides a PC are you still getting the SEC errors?

Also have you checked his PC to see if he has a Virtual machine or VM software installed? Im not 100% about how macs are propagated/generated with this software but that could be it.

_________________
http://blog.movingonesandzeros.net/

I had that first intuition too, That1guy15. User denied having VMs or any virtualization software.
The issue appeared as soon as he restarted his computer. Does the switch keep a history of past known MAC addresses on a given port?

I hate to sound like a dick but end users lie or dont know what they are talking about sometimes! If you are still experiencing the issue then you need to go to the location that port terminates and asses the situation for your self. It might not have been this user but someone else could have connected an AP to the port without him knowing. IF you can remote into his system then I also suggest digging around and seeing what is installed and check logs.

_________________
http://blog.movingonesandzeros.net/

+1

Those MACs must have come from somewhere, the computer isn't just going to make them up. The first is Cisco, the second is HP, and the last two are from a company called IP Trade Networks who seem to manufacture IP phones.

these MAC addresses appeared because we previously connected such devices to the switch. But that was long ago.

MAC addresses don't just appear out of nowhere. They were there because someone connected a device with those MACs to the network.

_________________
www.mellowd.co.uk/ccie/

The typical age out timer on a layer 2 forwarding table is 5 minutes (Cisco and HP).

_________________
blog.brokennetwork.ca

Everything happened in just 30 seconds? Connected 4 different devices? Can you post the interface configuration? And is there some type of mirroring?


And the maximum amount of aging time is approx 11 days.