error disable on cisco switch

hi I have setup 3 x cisco 2950 for internal network fault tolerance ie

- vtp server (primary)
- vtp server (secondary)
- vtp client (access)

my servers are currently located on my vtp server (primary) and my win 7 desktops are located on my vtp client (access switch).  my win 7 desktop can logon to my domain no problems.

note: I then decided to set the following on my win 7 cisco 2950 int fa0/4 - for example

switchport port-security
switchport port-security mac-address sticky

the above config is functioning correctly on my win 7 desktop ie I plugged another pc into the same port and it showed the 'psecure violation occurred'.

issue:

I add the above command for my 'master dc/ad/dns/dhcp' - but my cisco 2950 is showing 2 x mac-addresses and shutting the port down and continuously showing the 'psecure violation occurred' error again.

question 1. what command do I use to clear the 2nd mac address that I do not recognise as currently I only have the 3 x cisco 2950 connected and no other machine except for the master dc   ?
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
The first thing that I would want to find out is why there are two addresses associated with that one port. MAC addresses (without port-security enabled) will only stay in the table for 300 seconds.  So unless an address was statically assigned previously, there shouldn't be two addresses in the table.

That said, to remove a MAC address for a port (that exists from port security sticky), use the command (in the associated interface config mode):
no switchport port-security mac-address address sticky
0
mikey250Author Commented:
hi don,

regarding the 2 addresses, that is why I unplugged all machines accept for the 'master dc' and rebooted all switches but same issue the 2nd mac address using int fa0/2 still shows, but I did not wait 300 seconds, as I thought the reload would automatically remove 2nd mac address.

I did not add any mac's statically, I used 'sticky' first.

yes I already did:

no switchport port-security mac-address sticky

copy run start
reload

I then added back the config for my master dc:

int fa0/2
switchport port-security mac-address sticky

issue:  the 'psecure violation' - still occurred

note: the secondary & access switches are still connected but no machines connected, only the master dc
0
mikey250Author Commented:
note:

the correct mac address shows via: sh run - @ int fa0/2 - for eg

but when I do show mac-address, this is where it still shows 2 x different mac's using same int fa0/2 & 1 of those mac's is actually the correct mac
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Don JohnstonInstructorCommented:
Post the config and the output of a "show mac-address".
0
Don JohnstonInstructorCommented:
disable port security. Then clear the mac-address table. Wait a couple moments and display the address table and see what addresses are learned on that port.
0
AkinsdNetwork AdministratorCommented:
Conf f
Int fa0/2
No switchport port-security Mac-address xxxx.xxxx.xxxx
Shut
No shut
0
mikey250Author Commented:
hi ive added the config. apologies for yesterday my internet went down again, but back up so should be ok now.
cisco-switch-config.docx
0
Don JohnstonInstructorCommented:
So it looks like your server has some type of vNIC that has multiple MAC addresses.

If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command.

But I'm guessing this is testing or experimentation, right? Since port-security is typically used on ports that go to the desktops to prevent the users from connecting unauthorized equipment to the network, It doesn't make much sense to be doing this on a server connected port.
0
mikey250Author Commented:
my master dc is a: dell poweredge 1950 which has 2 x ports, but I am only using x 1 port as always.

the default mac address is set to 1

yes it worked on my win 7 desktop, but I thought if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.

not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.

"If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command."
0
Don JohnstonInstructorCommented:
if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.
If your server is in a location where a random user can physically access it, then (IMO) port security is the least of your worries. :-)
not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.
I don't know your specific server/NIC combination. I'm just assuming that there is some method to limit the number of MAC addresses that the NIC uses. If not, you'll have to increase the number of MAC addresses that the switchport will allow.
0
mikey250Author Commented:
yes I agree with your comment below, but if by accident another administrator unplugged a cable for whatever reason, I would like to know.!  I am not using any VMware and although I have 2 x ports, I only physically have 1 plugged into the server although I was thinking maybe its the mac of the actual physical switch port because as I have cables plugged in to connect the other secondary vtp server for eg it shows a mac address for that port, so I am thinking it might be that and in which case why do I get that issue, but not on my win 7 desktop..!

"If your server is in a location where a random user can physically access it, then (imo) port security is the least of your worries."
0
Don JohnstonInstructorCommented:
I agree, Since you're not running any VMs there should be only one MAC. But I think that platform has a management feature which is what that second MAC could be for.

I would think that if an admin unplugged a server, you would know about it pretty fast when all the uses started screaming. :-)
0
mikey250Author Commented:
if I configure my win 7 desktop and unplugged the cable and plugged in another machine, it reacted as expected 'psecure violation' and shutdown port, but if I do it for my master dc/ad/dns/dhcp server it does work, so management feature I am not understanding.
0
mikey250Author Commented:
my master dc/ad/dns/dhcp server it does ((not)) work I mean.
0
Don JohnstonInstructorCommented:
I am referring to the second MAC address associated with the NIC.  I think the Dell PowerEdge servers have a remote management function that uses the NIC.  It would have a separate IP and MAC address.

If you want to use port security on the port that this server is connected to, you'll have to set the number of allowed MAC addresses to 2.
0
mikey250Author Commented:
i added the following:

int fa0/2
switchport port-security maximum 2

i then unplugged my master dc and plugged in another machine into int fa0/2 as above but port does not close down so that is not the answer..not sure
0
Don JohnstonInstructorCommented:
Before you unplugged the server, did you check that the port had 2 addresses in the mac address table?
0
mikey250Author Commented:
yes i check and 1st one of the mac address appears on int fa0/2 & moments later another appears with different mac also on int fa0/2...this is on my primary root bridge... ie:

0015.c5f2.d417 - this is the mac of my server port as compared via ipconfig /all on server
0015.c5f2.d41b - this is the other mac identical except for last part

if i look at my file server, it only shows 1 mac as expected as also on same primary root bridge
0
Don JohnstonInstructorCommented:
Okay... Let's do this:

connect the server and verify that it's functioning properly.

then on the switch, issue the following commands and post the output.

show port-security interface fa0/2
show port-security
show mac-address table
0
mikey250Author Commented:
i test by logging onto the domain via my win 7 desktop situated on my access switch which is successful. ive attached config.
switch-port-security-screenshot.docx
0
mikey250Author Commented:
this mac is currently showing via:

sh port-security int fa0/2 - although this is not the mac of my server but it is the 2nd mac i should not except to see:

0015.c5f2.d41b

the correct one is:

0015.c5f2.d417
0
Don JohnstonInstructorCommented:
Can you please post the output directly (use the "code" tag, please). I can't open "doc" files now.
0
AkinsdNetwork AdministratorCommented:
Take a look at the links below.
There are guides on how to access the DRAC and view the embedded MAC address. You may find the mysterious MAC address you are concerned with.

http://web.mit.edu/cron/documentation/dell-server-admin/en/idrac1/chap02.htm

http://blog.yo61.com/mac-addresses-of-embedded-nics-on-dell-servers-through-drac/

http://web.mit.edu/cron/documentation/dell-server-admin/en/idrac1/chap05.htm#wp73400
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
ok i will look at those later and will get back to you.
0
mikey250Author Commented:
hi don,  ive got to go get something to eat so will return later but if you find anything then let me know or i will look tomorrow.

i have just rebooted my master dc and selected 'f2 for the bios' and can only see 2 x gb ports' capability which also shows the correct mac:  0015.c5f2.d417  - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in and although my cisco 2950 is set as:

- speed 100
0
Don JohnstonInstructorCommented:
shows the correct mac:  0015.c5f2.d417  - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in
So are you saying the MAC for the unused NIC is what you're seeing on F0/2?

Your output is a little confusing though. It doesn't show any addresses for f0/2.  If you're going to use sticky learning, you have to let the host send some frames so that the switch can add that address to the table.

I suggest configuring port security for the port.  Connect the server and then wait a while. Five minutes should be enough but you may as well wait 15 - 30 minutes.  But keep checking the mac address table.  Once the two addresses have been learned, then you should be all set.

There is another approach: Don't use sticky learning.  Manually add the addresses to the table.  It doesn't matter how the addresses get added to the table, as long as they are in the table.
0
AkinsdNetwork AdministratorCommented:
Ok, this makes more sense now.
The 2nd MAC is the 2nd NIC which is not currently plugged in but appears in the list because it was plugged in at some point.

Clear the Mac Address table reboot (reboot is not really necessary but just to ensure all addresses are flushed)
To clear, issue this command in privilege mode
clear mac-address-table dynamic
The switch will re-learn the mac addresses again.
Run show mac address-table afterwards
0
mikey250Author Commented:
hi don,

task 1

no the 2nd mac does not match the one on the switch on int fa0/2

the 2 macs of the server are below:

0015.c5f2.d417 - this is the master dc's mac that shows as expected via int fa0/2 switch

the actual 2nd port not used and never been plugged into is below:

0015.c5f2.d419

0015.c5f2.d41b - the mac in question - i just think it is the mac of the actual physical int fa0/2 port itself, because when i configure 'trunk' for the other connected switches they show mac addresses so hence my thought process, but win 7 desktop on 'access switch' only shows 1 mac which then confuses me since both 'server and pc' use 'switchport mode access

i have also just done again:

i have also removed all 'switchport port-security' commands temporarily


then did:

clear mac-address-table dynamic - but the below mac in question shows up then 0015.c5f2.d417 as expected

0015.c5f2.d41b

same issue

i have stopped using 'sticky' and added manually 0015.c5f2.d417 but still this mac shows: 0015.c5f2.d41b

task 2

i have now unplugged original server nic port: 0015.c5f2.d417  & did:

clear mac-address-table dynamic

i then plugged cable into 2nd nic port to confirm mac seen via 'bios' & yes correct:

0015.c5f2.d419

note: i have now waited over 5 mins and after plugging into the 2nd server nic port: 0015.c5f2.d419 i do not see the following mac which was the issue when using server nic 1:

0015.c5f2.d41b
 
unusual
0
mikey250Author Commented:
I have now removed cable from 2nd nic and plugged back into 1st nic and the correct make shows as expected:

0015.c5f2.d417

but also this mac address as stated earlier: 0015.c5f2.d41b

confusing.
0
Don JohnstonInstructorCommented:
i just think it is the mac of the actual physical int fa0/2 port itself
That is not correct. The OUI of that MAC identifies it as a Dell MAC address. I still believe that it is used for management traffic.

I think that the issue is getting unnecessarily confused.

1 )Unplug the cable from F0/2.
2) Enable port security.
3) Either enable sticky learning OR statically define the TWO addresses: 0015.c5f2.d417 and 0015.c5f2.d41b.
4) Connect the server to port f0/2
5) Verify the two addresses are in the MAC address table.
6) Disconnect the server from port f0/2
7) Connect a different computer to port f0/2.
8) The port should go error-disable.
0
mikey250Author Commented:
hi don, ok I will do this tomorrow although I did do most of what you say except I only added 'statically' previously:

0015.c5f2.d417

so I will also add 'statically':

0015.c5f2.d41b

question 1.  if the above allows me to unplug master dc and plug a different machine in and I get the expected result ie 'error-disable' state, then why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2 , or is it a dell thing that I have never noticed before and if this is true is the above 'x 2 static mac configs' the correct way  ?
0
Don JohnstonInstructorCommented:
why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2
I would guess that the second gig port would have a different MAC address for management.  Or it's possible that remote management is only possible through the gig 1 port.
0
mikey250Author Commented:
hi don, yes it worked by adding both mac's including the mac that appeared to come from the below server

0015.c5f2.d417

yes the 2nd gb mac does have a different mac ie  0015.c5f2.d419

I have never known a server single nic to show 2 mac's and one mac being for remote management purposes so I am not sure myself but I assume it is something like that but for what purposes I can only assume from a security point of view.
0
AkinsdNetwork AdministratorCommented:
See the links I provided in previous post above. That's what Don has been trying to explain also. Dell Uses DRAC (Dell Remote Access Controller) for remote management. When left enabled, a virtual mac address is used for layer 2 communication to separate remote management traffic from normal traffic while maximizing resources. Virtual MACs are commonly used eg Cisco HSRP, GLBP or VRRP. HP servers use dedicated NICs (iLO) for remote management. The NIC sits idle most of the time and is more like a waste. Dell uses DRAC to overcome redundant NIC. Some dedicated management NICs never even get used at all which makes them a total waste of resource when they could be used for something else.

http://en.wikipedia.org/wiki/Dell_DRAC
0
mikey250Author Commented:
hi akinsd, yes I was reading when I had chance but did not realise that part so did not register in my mind what that meant if I did read that somewhere within those links you provided.

appreciated.
0
mikey250Author Commented:
sound advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.