Solved

error disable on cisco switch

Posted on 2014-07-26
36
506 Views
Last Modified: 2014-08-03
hi I have setup 3 x cisco 2950 for internal network fault tolerance ie

- vtp server (primary)
- vtp server (secondary)
- vtp client (access)

my servers are currently located on my vtp server (primary) and my win 7 desktops are located on my vtp client (access switch).  my win 7 desktop can logon to my domain no problems.

note: I then decided to set the following on my win 7 cisco 2950 int fa0/4 - for example

switchport port-security
switchport port-security mac-address sticky

the above config is functioning correctly on my win 7 desktop ie I plugged another pc into the same port and it showed the 'psecure violation occurred'.

issue:

I add the above command for my 'master dc/ad/dns/dhcp' - but my cisco 2950 is showing 2 x mac-addresses and shutting the port down and continuously showing the 'psecure violation occurred' error again.

question 1. what command do I use to clear the 2nd mac address that I do not recognise as currently I only have the 3 x cisco 2950 connected and no other machine except for the master dc   ?
0
Comment
Question by:mikey250
  • 19
  • 13
  • 4
36 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40221346
The first thing that I would want to find out is why there are two addresses associated with that one port. MAC addresses (without port-security enabled) will only stay in the table for 300 seconds.  So unless an address was statically assigned previously, there shouldn't be two addresses in the table.

That said, to remove a MAC address for a port (that exists from port security sticky), use the command (in the associated interface config mode):
no switchport port-security mac-address address sticky
0
 

Author Comment

by:mikey250
ID: 40221368
hi don,

regarding the 2 addresses, that is why I unplugged all machines accept for the 'master dc' and rebooted all switches but same issue the 2nd mac address using int fa0/2 still shows, but I did not wait 300 seconds, as I thought the reload would automatically remove 2nd mac address.

I did not add any mac's statically, I used 'sticky' first.

yes I already did:

no switchport port-security mac-address sticky

copy run start
reload

I then added back the config for my master dc:

int fa0/2
switchport port-security mac-address sticky

issue:  the 'psecure violation' - still occurred

note: the secondary & access switches are still connected but no machines connected, only the master dc
0
 

Author Comment

by:mikey250
ID: 40221369
note:

the correct mac address shows via: sh run - @ int fa0/2 - for eg

but when I do show mac-address, this is where it still shows 2 x different mac's using same int fa0/2 & 1 of those mac's is actually the correct mac
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40221370
Post the config and the output of a "show mac-address".
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40221373
disable port security. Then clear the mac-address table. Wait a couple moments and display the address table and see what addresses are learned on that port.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40221600
Conf f
Int fa0/2
No switchport port-security Mac-address xxxx.xxxx.xxxx
Shut
No shut
0
 

Author Comment

by:mikey250
ID: 40222403
hi ive added the config. apologies for yesterday my internet went down again, but back up so should be ok now.
cisco-switch-config.docx
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222438
So it looks like your server has some type of vNIC that has multiple MAC addresses.

If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command.

But I'm guessing this is testing or experimentation, right? Since port-security is typically used on ports that go to the desktops to prevent the users from connecting unauthorized equipment to the network, It doesn't make much sense to be doing this on a server connected port.
0
 

Author Comment

by:mikey250
ID: 40222450
my master dc is a: dell poweredge 1950 which has 2 x ports, but I am only using x 1 port as always.

the default mac address is set to 1

yes it worked on my win 7 desktop, but I thought if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.

not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.

"If you still want to use port-security, you'll either have to disable that function on the server or set the number of addresses for port-security to 2 with the "switchport port-security max 2" command."
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222483
if a random user unplugged my server, then I would want that port to only allow my server to connect and no other.
If your server is in a location where a random user can physically access it, then (IMO) port security is the least of your worries. :-)
not sure what you mean by the below comment although I assume you mean the nic card on my server I should access properties and look there although I only want 1 mac to be detected/allowed only on that port, just like my win 7 desktops.
I don't know your specific server/NIC combination. I'm just assuming that there is some method to limit the number of MAC addresses that the NIC uses. If not, you'll have to increase the number of MAC addresses that the switchport will allow.
0
 

Author Comment

by:mikey250
ID: 40222504
yes I agree with your comment below, but if by accident another administrator unplugged a cable for whatever reason, I would like to know.!  I am not using any VMware and although I have 2 x ports, I only physically have 1 plugged into the server although I was thinking maybe its the mac of the actual physical switch port because as I have cables plugged in to connect the other secondary vtp server for eg it shows a mac address for that port, so I am thinking it might be that and in which case why do I get that issue, but not on my win 7 desktop..!

"If your server is in a location where a random user can physically access it, then (imo) port security is the least of your worries."
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222519
I agree, Since you're not running any VMs there should be only one MAC. But I think that platform has a management feature which is what that second MAC could be for.

I would think that if an admin unplugged a server, you would know about it pretty fast when all the uses started screaming. :-)
0
 

Author Comment

by:mikey250
ID: 40222532
if I configure my win 7 desktop and unplugged the cable and plugged in another machine, it reacted as expected 'psecure violation' and shutdown port, but if I do it for my master dc/ad/dns/dhcp server it does work, so management feature I am not understanding.
0
 

Author Comment

by:mikey250
ID: 40222533
my master dc/ad/dns/dhcp server it does ((not)) work I mean.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222549
I am referring to the second MAC address associated with the NIC.  I think the Dell PowerEdge servers have a remote management function that uses the NIC.  It would have a separate IP and MAC address.

If you want to use port security on the port that this server is connected to, you'll have to set the number of allowed MAC addresses to 2.
0
 

Author Comment

by:mikey250
ID: 40222561
i added the following:

int fa0/2
switchport port-security maximum 2

i then unplugged my master dc and plugged in another machine into int fa0/2 as above but port does not close down so that is not the answer..not sure
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222569
Before you unplugged the server, did you check that the port had 2 addresses in the mac address table?
0
 

Author Comment

by:mikey250
ID: 40222579
yes i check and 1st one of the mac address appears on int fa0/2 & moments later another appears with different mac also on int fa0/2...this is on my primary root bridge... ie:

0015.c5f2.d417 - this is the mac of my server port as compared via ipconfig /all on server
0015.c5f2.d41b - this is the other mac identical except for last part

if i look at my file server, it only shows 1 mac as expected as also on same primary root bridge
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222583
Okay... Let's do this:

connect the server and verify that it's functioning properly.

then on the switch, issue the following commands and post the output.

show port-security interface fa0/2
show port-security
show mac-address table
0
 

Author Comment

by:mikey250
ID: 40222594
i test by logging onto the domain via my win 7 desktop situated on my access switch which is successful. ive attached config.
switch-port-security-screenshot.docx
0
 

Author Comment

by:mikey250
ID: 40222595
this mac is currently showing via:

sh port-security int fa0/2 - although this is not the mac of my server but it is the 2nd mac i should not except to see:

0015.c5f2.d41b

the correct one is:

0015.c5f2.d417
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40222611
Can you please post the output directly (use the "code" tag, please). I can't open "doc" files now.
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 375 total points
ID: 40222612
Take a look at the links below.
There are guides on how to access the DRAC and view the embedded MAC address. You may find the mysterious MAC address you are concerned with.

http://web.mit.edu/cron/documentation/dell-server-admin/en/idrac1/chap02.htm

http://blog.yo61.com/mac-addresses-of-embedded-nics-on-dell-servers-through-drac/

http://web.mit.edu/cron/documentation/dell-server-admin/en/idrac1/chap05.htm#wp73400
0
 

Author Comment

by:mikey250
ID: 40222621
ok i will look at those later and will get back to you.
0
 

Author Comment

by:mikey250
ID: 40222628
hi don,  ive got to go get something to eat so will return later but if you find anything then let me know or i will look tomorrow.

i have just rebooted my master dc and selected 'f2 for the bios' and can only see 2 x gb ports' capability which also shows the correct mac:  0015.c5f2.d417  - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in and although my cisco 2950 is set as:

- speed 100
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40223045
shows the correct mac:  0015.c5f2.d417  - & the 2nd mac is the 2nd nic port i have not used so it is an empty port ie nothing plugged in
So are you saying the MAC for the unused NIC is what you're seeing on F0/2?

Your output is a little confusing though. It doesn't show any addresses for f0/2.  If you're going to use sticky learning, you have to let the host send some frames so that the switch can add that address to the table.

I suggest configuring port security for the port.  Connect the server and then wait a while. Five minutes should be enough but you may as well wait 15 - 30 minutes.  But keep checking the mac address table.  Once the two addresses have been learned, then you should be all set.

There is another approach: Don't use sticky learning.  Manually add the addresses to the table.  It doesn't matter how the addresses get added to the table, as long as they are in the table.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 375 total points
ID: 40223330
Ok, this makes more sense now.
The 2nd MAC is the 2nd NIC which is not currently plugged in but appears in the list because it was plugged in at some point.

Clear the Mac Address table reboot (reboot is not really necessary but just to ensure all addresses are flushed)
To clear, issue this command in privilege mode
clear mac-address-table dynamic
The switch will re-learn the mac addresses again.
Run show mac address-table afterwards
0
 

Author Comment

by:mikey250
ID: 40226859
hi don,

task 1

no the 2nd mac does not match the one on the switch on int fa0/2

the 2 macs of the server are below:

0015.c5f2.d417 - this is the master dc's mac that shows as expected via int fa0/2 switch

the actual 2nd port not used and never been plugged into is below:

0015.c5f2.d419

0015.c5f2.d41b - the mac in question - i just think it is the mac of the actual physical int fa0/2 port itself, because when i configure 'trunk' for the other connected switches they show mac addresses so hence my thought process, but win 7 desktop on 'access switch' only shows 1 mac which then confuses me since both 'server and pc' use 'switchport mode access

i have also just done again:

i have also removed all 'switchport port-security' commands temporarily


then did:

clear mac-address-table dynamic - but the below mac in question shows up then 0015.c5f2.d417 as expected

0015.c5f2.d41b

same issue

i have stopped using 'sticky' and added manually 0015.c5f2.d417 but still this mac shows: 0015.c5f2.d41b

task 2

i have now unplugged original server nic port: 0015.c5f2.d417  & did:

clear mac-address-table dynamic

i then plugged cable into 2nd nic port to confirm mac seen via 'bios' & yes correct:

0015.c5f2.d419

note: i have now waited over 5 mins and after plugging into the 2nd server nic port: 0015.c5f2.d419 i do not see the following mac which was the issue when using server nic 1:

0015.c5f2.d41b
 
unusual
0
 

Author Comment

by:mikey250
ID: 40227340
I have now removed cable from 2nd nic and plugged back into 1st nic and the correct make shows as expected:

0015.c5f2.d417

but also this mac address as stated earlier: 0015.c5f2.d41b

confusing.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 125 total points
ID: 40227766
i just think it is the mac of the actual physical int fa0/2 port itself
That is not correct. The OUI of that MAC identifies it as a Dell MAC address. I still believe that it is used for management traffic.

I think that the issue is getting unnecessarily confused.

1 )Unplug the cable from F0/2.
2) Enable port security.
3) Either enable sticky learning OR statically define the TWO addresses: 0015.c5f2.d417 and 0015.c5f2.d41b.
4) Connect the server to port f0/2
5) Verify the two addresses are in the MAC address table.
6) Disconnect the server from port f0/2
7) Connect a different computer to port f0/2.
8) The port should go error-disable.
0
 

Author Comment

by:mikey250
ID: 40233769
hi don, ok I will do this tomorrow although I did do most of what you say except I only added 'statically' previously:

0015.c5f2.d417

so I will also add 'statically':

0015.c5f2.d41b

question 1.  if the above allows me to unplug master dc and plug a different machine in and I get the expected result ie 'error-disable' state, then why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2 , or is it a dell thing that I have never noticed before and if this is true is the above 'x 2 static mac configs' the correct way  ?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40233962
why in this case does mac: 0015.c5f2.d41b show as it is also on gb port 1 & not gb port 2
I would guess that the second gig port would have a different MAC address for management.  Or it's possible that remote management is only possible through the gig 1 port.
0
 

Author Comment

by:mikey250
ID: 40237186
hi don, yes it worked by adding both mac's including the mac that appeared to come from the below server

0015.c5f2.d417

yes the 2nd gb mac does have a different mac ie  0015.c5f2.d419

I have never known a server single nic to show 2 mac's and one mac being for remote management purposes so I am not sure myself but I assume it is something like that but for what purposes I can only assume from a security point of view.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 375 total points
ID: 40237193
See the links I provided in previous post above. That's what Don has been trying to explain also. Dell Uses DRAC (Dell Remote Access Controller) for remote management. When left enabled, a virtual mac address is used for layer 2 communication to separate remote management traffic from normal traffic while maximizing resources. Virtual MACs are commonly used eg Cisco HSRP, GLBP or VRRP. HP servers use dedicated NICs (iLO) for remote management. The NIC sits idle most of the time and is more like a waste. Dell uses DRAC to overcome redundant NIC. Some dedicated management NICs never even get used at all which makes them a total waste of resource when they could be used for something else.

http://en.wikipedia.org/wiki/Dell_DRAC
0
 

Author Comment

by:mikey250
ID: 40237204
hi akinsd, yes I was reading when I had chance but did not realise that part so did not register in my mind what that meant if I did read that somewhere within those links you provided.

appreciated.
0
 

Author Closing Comment

by:mikey250
ID: 40237206
sound advice.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now