Psecure-violation Error Detected
Contents |
Us Facebook Twitter Google + LinkedIn Newsletter Instagram YouTube DirectoryNetwork InfrastructureWAN, Routing and Switching LAN, Switching and Routing Network Management Remote Access
Errdisable Recovery Cause Psecure-violation
Optical Networking Getting Started with LANs IPv6 Integration and Transition show port security violations EEM Scripting Other Subjects SecurityVPN Security Management Firewalling Intrusion Prevention Systems/IDS AAA, Identity and %pm-4-err_disable: link-flap error detected NAC Physical Security MARS Email Security Web Security Other Subjects Service ProvidersMetro MPLS Voice Over IP XR OS and Platforms Video Other Subjects Collaboration,
Cisco Clear Port Security Violation
Voice and VideoIP Telephony Video Over IP Jabber Clients Unified Communications Applications TelePresence Digital Media System Contact Center Conferencing UC Migrations Other Subjects Wireless - MobilitySecurity and Network Management Wireless IP Voice and Video Getting Started with Wireless WLCCA Other Subjects ServicesCisco ServiceGrid Connected Analytics Smart Call Home
Err-disabled Bpduguard
Smart Net Total Care Operations Exchange Mobile ApplicationsCisco Proximity Cisco Technical Support Online Tools and ResourcesCisco Bug Discussions Technical Documentation Ideas Cisco CLI Analyzer Support Community Help Data CenterApplication Centric Infrastructure Application Networking Intelligent Automation Server Networking Storage Networking Unified Computing Wide Area Application Services (WAAS) Other Subjects Small BusinessNetwork Storage Routers Security Surveillance Switches Voice and Conferencing Wireless Solutions and ArchitecturesBorderless Networks Collaboration Cisco User GroupsSeattle Cisco User Group (SEACUG) Silicon Valley Cisco User Group (SVCUG) Southern California Cisco User Group (SCCUG) Cisco Certifications Cisco.com Idea Center Cisco Cafe Expert CornerTop Contributors Leaderboards Cisco Live! Events Events Community CornerAwards & Recognition Behind the Scenes Feedback Forum Cisco Certifications Cisco Press Café Cisco On Demand Support & Downloads Community Resources Security Alerts Security Alerts News News Video Cisco Support YouTube Cisco YouTube Blogs Technical Documentation Cisco Products Products Services Services Solutions Solutions Gl
| View Threaded m4rtntns at gmail Oct31,2014,7:27AM Post #1 of 3 (2455 views) Permalink Under which conditions does port-security consider http://www.gossamer-threads.com/lists/cisco/nsp/182260 MAC flap as a security violation? Hi, I have a following very simple setup: http://s30.postimg.org/d0t320dsh/port_sec.png As seen above, PC with two NIC's is connected to Cisco Catalyst WS-C4506 switch http://learnin.ru/?page_id=841 and both NIC's on PC have the same MAC address 00:00:00:00:00:11. Switch port configuration is identical: interface GigabitEthernet6/41 switchport access vlan 881 switchport mode access switchport port-security maximum 100 error detected switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity end interface GigabitEthernet6/42 switchport access vlan 881 switchport mode access switchport port-security maximum 100 switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity end As seen above, port-security on switch ports is enabled. If I send an unicast frame from PC port eth0 to port security violation switch port Gi6/42, then the switch will learn the MAC address in its MAC address table and "Total MAC Addresses" counter in "sh port-security interface Gi6/42" output will increase from 0 to 1. Now when I send unicast frame from PC port eth1 to switch port Gi6/41, then the switch will not learn the MAC address and "Total MAC Addresses" counter in "sh port-security interface Gi6/41" output will stay 0. In addition, "Last Source Address:Vlan" field stays "0000.0000.0000:0". IMHO this is all expected behavior and this is how the port-security with configuration above should work. However, on a live switch with the very same configuration and HW/SF(WS-X4515 SUP with cat4500-ipbasek9-mz.122-54.SG.bin) as the lab one, I saw a behavior where duplicate MAC address on two ports with the same port-security configuration as above, caused a port-security violation: Oct 30 11:33:06.458 UTC: PSECURE: Violation/duplicate detected upon receiving 0000.5e00.0103 on vlan 123: port_num_addrs 0 port_max_addrs 100 vlan_addr_ct 0: vlan_addr_max 100 total_addrs 853: max_total_addrs 3072 Oct 30 11:33:06.458 UTC: PSECURE: psecure_add_addr_check: Found duplicate mac-address 0000.5e00.0103, It is already secured
стенды Настройка Cisco Форум Связаться с нами Search for
Настройка Port Security Port security -- технология контроля трафика на втором уровне модели OSI используемая в коммутаторах Cisco Catalyst. Эта технология позволяет пропускать только кадры с определенными MAC адресами источника через порты коммутатора на которых она настроена. Основным предназначением данной технологии является предотвращение подключения пользователями или злоумышленниками устройств к доступным портам коммутатора. Хорошо известны примеры, когда подключение несанкционированного устройства (например точки доступа с включенным DHCP сервером) приводит к сбоям в работе сети. Включение Port Security Port security может быть включена на порту одной командой: Switch(config)# interface f0/13 Switch(config-if)# switchport port-security В данном примере Port Security включается только на одном порту, хотя в реальных условиях она обычно задействуется на всех пользовательских портах. После включения Port Security можно посмотреть настройки Port Security по-умолчанию при помощи командыshow port-security: Switch# show port-security interface f0/13 Port Security : Enabled Port Status : Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Se