mikey250
asked on
error disable on cisco switch
hi I have setup 3 x cisco 2950 for internal network fault tolerance ie
- vtp server (primary)
- vtp server (secondary)
- vtp client (access)
my servers are currently located on my vtp server (primary) and my win 7 desktops are located on my vtp client (access switch). my win 7 desktop can logon to my domain no problems.
note: I then decided to set the following on my win 7 cisco 2950 int fa0/4 - for example
switchport port-security
switchport port-security mac-address sticky
the above config is functioning correctly on my win 7 desktop ie I plugged another pc into the same port and it showed the 'psecure violation occurred'.
issue:
I add the above command for my 'master dc/ad/dns/dhcp' - but my cisco 2950 is showing 2 x mac-addresses and shutting the port down and continuously showing the 'psecure violation occurred' error again.
question 1. what command do I use to clear the 2nd mac address that I do not recognise as currently I only have the 3 x cisco 2950 connected and no other machine except for the master dc ?
- vtp server (primary)
- vtp server (secondary)
- vtp client (access)
my servers are currently located on my vtp server (primary) and my win 7 desktops are located on my vtp client (access switch). my win 7 desktop can logon to my domain no problems.
note: I then decided to set the following on my win 7 cisco 2950 int fa0/4 - for example
switchport port-security
switchport port-security mac-address sticky
the above config is functioning correctly on my win 7 desktop ie I plugged another pc into the same port and it showed the 'psecure violation occurred'.
issue:
I add the above command for my 'master dc/ad/dns/dhcp' - but my cisco 2950 is showing 2 x mac-addresses and shutting the port down and continuously showing the 'psecure violation occurred' error again.
question 1. what command do I use to clear the 2nd mac address that I do not recognise as currently I only have the 3 x cisco 2950 connected and no other machine except for the master dc ?
ASKER
hi don,
regarding the 2 addresses, that is why I unplugged all machines accept for the 'master dc' and rebooted all switches but same issue the 2nd mac address using int fa0/2 still shows, but I did not wait 300 seconds, as I thought the reload would automatically remove 2nd mac address.
I did not add any mac's statically, I used 'sticky' first.
yes I already did:
no switchport port-security mac-address sticky
copy run start
reload
I then added back the config for my master dc:
int fa0/2
switchport port-security mac-address sticky
issue: the 'psecure violation' - still occurred
note: the secondary & access switches are still connected but no machines connected, only the master dc
regarding the 2 addresses, that is why I unplugged all machines accept for the 'master dc' and rebooted all switches but same issue the 2nd mac address using int fa0/2 still shows, but I did not wait 300 seconds, as I thought the reload would automatically remove 2nd mac address.
I did not add any mac's statically, I used 'sticky' first.
yes I already did:
no switchport port-security mac-address sticky
copy run start
reload
I then added back the config for my master dc:
int fa0/2
switchport port-security mac-address sticky
issue: the 'psecure violation' - still occurred
note: the secondary & access switches are still connected but no machines connected, only the master dc
ASKER
note:
the correct mac address shows via: sh run - @ int fa0/2 - for eg
but when I do show mac-address, this is where it still shows 2 x different mac's using same int fa0/2 & 1 of those mac's is actually the correct mac
the correct mac address shows via: sh run - @ int fa0/2 - for eg
but when I do show mac-address, this is where it still shows 2 x different mac's using same int fa0/2 & 1 of those mac's is actually the correct mac
Post the config and the output of a "show mac-address".
disable port security. Then clear the mac-address table. Wait a couple moments and display the address table and see what addresses are learned on that port.
Conf f
Int fa0/2
No switchport port-security Mac-address xxxx.xxxx.xxxx
Shut
No shut
Int fa0/2
No switchport port-security Mac-address xxxx.xxxx.xxxx
Shut
No shut
ASKER
hi ive added the config. apologies for yesterday my internet went down again, but back up so should be ok now.
cisco-switch-config.docx
cisco-switch-config.docx
So it looks like your server has some type of vNIC that has multiple MAC addresses.
If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command.
But I'm guessing this is testing or experimentation, right? Since port-security is typically used on ports that go to the desktops to prevent the users from connecting unauthorized equipment to the network, It doesn't make much sense to be doing this on a server connected port.
If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command.
But I'm guessing this is testing or experimentation, right? Since port-security is typically used on ports that go to the desktops to prevent the users from connecting unauthorized equipment to the network, It doesn't make much sense to be doing this on a server connected port.
ASKER
my master dc is a: dell poweredge 1950 which has 2 x ports, but I am only using x 1 port as always.
the default mac address is set to 1
yes it worked on my win 7 desktop, but I thought if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.
not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.
"If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command."
the default mac address is set to 1
yes it worked on my win 7 desktop, but I thought if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.
not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.
"If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command."
if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.If your server is in a location where a random user can physically access it, then (IMO) port security is the least of your worries. :-)
not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.I don't know your specific server/NIC combination. I'm just assuming that there is some method to limit the number of MAC addresses that the NIC uses. If not, you'll have to increase the number of MAC addresses that the switchport will allow.
ASKER
yes I agree with your comment below, but if by accident another administrator unplugged a cable for whatever reason, I would like to know.! I am not using any VMware and although I have 2 x ports, I only physically have 1 plugged into the server although I was thinking maybe its the mac of the actual physical switch port because as I have cables plugged in to connect the other secondary vtp server for eg it shows a mac address for that port, so I am thinking it might be that and in which case why do I get that issue, but not on my win 7 desktop..!
"If your server is in a location where a random user can physically access it, then (imo) port security is the least of your worries."
"If your server is in a location where a random user can physically access it, then (imo) port security is the least of your worries."
I agree, Since you're not running any VMs there should be only one MAC. But I think that platform has a management feature which is what that second MAC could be for.
I would think that if an admin unplugged a server, you would know about it pretty fast when all the uses started screaming. :-)
I would think that if an admin unplugged a server, you would know about it pretty fast when all the uses started screaming. :-)
ASKER
if I configure my win 7 desktop and unplugged the cable and plugged in another machine, it reacted as expected 'psecure violation' and shutdown port, but if I do it for my master dc/ad/dns/dhcp server it does work, so management feature I am not understanding.
ASKER
my master dc/ad/dns/dhcp server it does ((not)) work I mean.
I am referring to the second MAC address associated with the NIC. I think the Dell PowerEdge servers have a remote management function that uses the NIC. It would have a separate IP and MAC address.
If you want to use port security on the port that this server is connected to, you'll have to set the number of allowed MAC addresses to 2.
If you want to use port security on the port that this server is connected to, you'll have to set the number of allowed MAC addresses to 2.
ASKER
i added the following:
int fa0/2
switchport port-security maximum 2
i then unplugged my master dc and plugged in another machine into int fa0/2 as above but port does not close down so that is not the answer..not sure
int fa0/2
switchport port-security maximum 2
i then unplugged my master dc and plugged in another machine into int fa0/2 as above but port does not close down so that is not the answer..not sure
Before you unplugged the server, did you check that the port had 2 addresses in the mac address table?
ASKER
yes i check and 1st one of the mac address appears on int fa0/2 & moments later another appears with different mac also on int fa0/2...this is on my primary root bridge... ie:
0015.c5f2.d417 - this is the mac of my server port as compared via ipconfig /all on server
0015.c5f2.d41b - this is the other mac identical except for last part
if i look at my file server, it only shows 1 mac as expected as also on same primary root bridge
0015.c5f2.d417 - this is the mac of my server port as compared via ipconfig /all on server
0015.c5f2.d41b - this is the other mac identical except for last part
if i look at my file server, it only shows 1 mac as expected as also on same primary root bridge
Okay... Let's do this:
connect the server and verify that it's functioning properly.
then on the switch, issue the following commands and post the output.
show port-security interface fa0/2
show port-security
show mac-address table
connect the server and verify that it's functioning properly.
then on the switch, issue the following commands and post the output.
show port-security interface fa0/2
show port-security
show mac-address table
ASKER
i test by logging onto the domain via my win 7 desktop situated on my access switch which is successful. ive attached config.
switch-port-security-screenshot.docx
switch-port-security-screenshot.docx
ASKER
this mac is currently showing via:
sh port-security int fa0/2 - although this is not the mac of my server but it is the 2nd mac i should not except to see:
0015.c5f2.d41b
the correct one is:
0015.c5f2.d417
sh port-security int fa0/2 - although this is not the mac of my server but it is the 2nd mac i should not except to see:
0015.c5f2.d41b
the correct one is:
0015.c5f2.d417
Can you please post the output directly (use the "code" tag, please). I can't open "doc" files now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i will look at those later and will get back to you.
ASKER
hi don, ive got to go get something to eat so will return later but if you find anything then let me know or i will look tomorrow.
i have just rebooted my master dc and selected 'f2 for the bios' and can only see 2 x gb ports' capability which also shows the correct mac: 0015.c5f2.d417 - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in and although my cisco 2950 is set as:
- speed 100
i have just rebooted my master dc and selected 'f2 for the bios' and can only see 2 x gb ports' capability which also shows the correct mac: 0015.c5f2.d417 - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in and although my cisco 2950 is set as:
- speed 100
shows the correct mac: 0015.c5f2.d417 - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged inSo are you saying the MAC for the unused NIC is what you're seeing on F0/2?
Your output is a little confusing though. It doesn't show any addresses for f0/2. If you're going to use sticky learning, you have to let the host send some frames so that the switch can add that address to the table.
I suggest configuring port security for the port. Connect the server and then wait a while. Five minutes should be enough but you may as well wait 15 - 30 minutes. But keep checking the mac address table. Once the two addresses have been learned, then you should be all set.
There is another approach: Don't use sticky learning. Manually add the addresses to the table. It doesn't matter how the addresses get added to the table, as long as they are in the table.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi don,
task 1
no the 2nd mac does not match the one on the switch on int fa0/2
the 2 macs of the server are below:
0015.c5f2.d417 - this is the master dc's mac that shows as expected via int fa0/2 switch
the actual 2nd port not used and never been plugged into is below:
0015.c5f2.d419
0015.c5f2.d41b - the mac in question - i just think it is the mac of the actual physical int fa0/2 port itself, because when i configure 'trunk' for the other connected switches they show mac addresses so hence my thought process, but win 7 desktop on 'access switch' only shows 1 mac which then confuses me since both 'server and pc' use 'switchport mode access
i have also just done again:
i have also removed all 'switchport port-security' commands temporarily
then did:
clear mac-address-table dynamic - but the below mac in question shows up then 0015.c5f2.d417 as expected
0015.c5f2.d41b
same issue
i have stopped using 'sticky' and added manually 0015.c5f2.d417 but still this mac shows: 0015.c5f2.d41b
task 2
i have now unplugged original server nic port: 0015.c5f2.d417 & did:
clear mac-address-table dynamic
i then plugged cable into 2nd nic port to confirm mac seen via 'bios' & yes correct:
0015.c5f2.d419
note: i have now waited over 5 mins and after plugging into the 2nd server nic port: 0015.c5f2.d419 i do not see the following mac which was the issue when using server nic 1:
0015.c5f2.d41b
unusual
task 1
no the 2nd mac does not match the one on the switch on int fa0/2
the 2 macs of the server are below:
0015.c5f2.d417 - this is the master dc's mac that shows as expected via int fa0/2 switch
the actual 2nd port not used and never been plugged into is below:
0015.c5f2.d419
0015.c5f2.d41b - the mac in question - i just think it is the mac of the actual physical int fa0/2 port itself, because when i configure 'trunk' for the other connected switches they show mac addresses so hence my thought process, but win 7 desktop on 'access switch' only shows 1 mac which then confuses me since both 'server and pc' use 'switchport mode access
i have also just done again:
i have also removed all 'switchport port-security' commands temporarily
then did:
clear mac-address-table dynamic - but the below mac in question shows up then 0015.c5f2.d417 as expected
0015.c5f2.d41b
same issue
i have stopped using 'sticky' and added manually 0015.c5f2.d417 but still this mac shows: 0015.c5f2.d41b
task 2
i have now unplugged original server nic port: 0015.c5f2.d417 & did:
clear mac-address-table dynamic
i then plugged cable into 2nd nic port to confirm mac seen via 'bios' & yes correct:
0015.c5f2.d419
note: i have now waited over 5 mins and after plugging into the 2nd server nic port: 0015.c5f2.d419 i do not see the following mac which was the issue when using server nic 1:
0015.c5f2.d41b
unusual
ASKER
I have now removed cable from 2nd nic and plugged back into 1st nic and the correct make shows as expected:
0015.c5f2.d417
but also this mac address as stated earlier: 0015.c5f2.d41b
confusing.
0015.c5f2.d417
but also this mac address as stated earlier: 0015.c5f2.d41b
confusing.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi don, ok I will do this tomorrow although I did do most of what you say except I only added 'statically' previously:
0015.c5f2.d417
so I will also add 'statically':
0015.c5f2.d41b
question 1. if the above allows me to unplug master dc and plug a different machine in and I get the expected result ie 'error-disable' state, then why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2 , or is it a dell thing that I have never noticed before and if this is true is the above 'x 2 static mac configs' the correct way ?
0015.c5f2.d417
so I will also add 'statically':
0015.c5f2.d41b
question 1. if the above allows me to unplug master dc and plug a different machine in and I get the expected result ie 'error-disable' state, then why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2 , or is it a dell thing that I have never noticed before and if this is true is the above 'x 2 static mac configs' the correct way ?
why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2I would guess that the second gig port would have a different MAC address for management. Or it's possible that remote management is only possible through the gig 1 port.
ASKER
hi don, yes it worked by adding both mac's including the mac that appeared to come from the below server
0015.c5f2.d417
yes the 2nd gb mac does have a different mac ie 0015.c5f2.d419
I have never known a server single nic to show 2 mac's and one mac being for remote management purposes so I am not sure myself but I assume it is something like that but for what purposes I can only assume from a security point of view.
0015.c5f2.d417
yes the 2nd gb mac does have a different mac ie 0015.c5f2.d419
I have never known a server single nic to show 2 mac's and one mac being for remote management purposes so I am not sure myself but I assume it is something like that but for what purposes I can only assume from a security point of view.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi akinsd, yes I was reading when I had chance but did not realise that part so did not register in my mind what that meant if I did read that somewhere within those links you provided.
appreciated.
appreciated.
ASKER
sound advice.
That said, to remove a MAC address for a port (that exists from port security sticky), use the command (in the associated interface config mode):
no switchport port-security mac-address address sticky