Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 6509 802.1x issues

Status
Not open for further replies.
leedsit

leedsit

Technical User
Nov 25, 2004
364
GB
Hi,

Have an issue thats really baffling me. After some office moves we had some ports in err-disabled state(dot1x-security-violation err-disabled, we have no port security enabled ).

I naturally shut and no shut the interface which would come up and then disabled itself again(within seconds) . Looking at the dot1x stats/logs, the port authenticates ok, but then goes down because a NEW mac appears at the end of that port!!! However there is only one workstation plugged in directly.

Interestingly enough, If I change the dot1x settings on that port to a perm authorized state and re-enable the port, it comes up fine as expected, however looking at the mac table for that port, there are TWO macs. One dynamic ( learnt as switches do ) and another thats a static entry!!! but... there are no static macs configured on the switch.

I have gone through the config and there is definatly no static macs set and I cannot remove them from the mac table. This is really looking buggy to me, however I was wondering if anyone had experienced this before.

Thanks, Lee.

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+
 
Sort by date Sort by votes
Extra information from one of the switches

show log
2w1d: %SYS-5-CONFIG_I: Configured from console by xxxx onvty0 (xxxxxx)
2w1d: %DOT1X-SP-5-SECURITY_VIOLATION: Security violation on interface GigabitEthernet4/4, New MAC address 0019.b93a.fdfa is seen
on the interface in Single host mode
2w1d: %PM-SP-4-ERR_DISABLE: security-violation error detected on Gi4/4, putting Gi4/4 in err-disable state
2w1d: %PM-SP-STDBY-4-ERR_DISABLE: security-violation error detected on Gi4/4, putting Gi4/4 in err-disable state
2w1d: %SYS-5-CONFIG_I: Configured from console by xxxxxxxx onvty1 (xxxxxxxxxx))


xxxxxxx#show dot1x statistics interface gig 4/4
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 1 TxReq = 0 TxTotal = 1
RxStart = 0 RxLogoff = 0 RxRespId = 0 RxResp = 0
RxInvalid = 0 RxLenErr = 0 RxTotal = 1
RxVersion = 0 LastRxSrcMac = 0000.0000.0000

xxxxxxx#show dot1x statistics interface gig 4/4
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 2 TxReq = 9 TxTotal = 11
RxStart = 1 RxLogoff = 0 RxRespId = 1 RxResp = 9
RxInvalid = 0 RxLenErr = 0 RxTotal = 12
RxVersion = 1 LastRxSrcMac = 0018.8b07.a09b

xxxxxx#show dot1x statistics interface gig 4/4
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 2 TxReq = 9 TxTotal = 11
RxStart = 1 RxLogoff = 0 RxRespId = 1 RxResp = 9
RxInvalid = 0 RxLenErr = 0 RxTotal = 12
RxVersion = 1 LastRxSrcMac = 0018.8b07.a09b

xxxxxxxx#show dot1x statistics interface gig 4/4
PortStatistics Parameters for Dot1x
--------------------------------------------
TxReqId = 0 TxReq = 0 TxTotal = 0
RxStart = 0 RxLogoff = 0 RxRespId = 0 RxResp = 0
RxInvalid = 0 RxLenErr = 0 RxTotal = 0
RxVersion = 0 LastRxSrcMac = 0000.0000.0000

xxxxx#show mac-address-table interface gig 4/4
Legend: * - primary entry
age - seconds since last seen
n/a - not available

vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
* 107 0019.b93a.fdfa static Yes - Gi4/4
* 107 0018.8b07.a09b dynamic Yes 0 Gi4/4


xxxxxxxxx(config-if)#dot1x port-control auto
Command rejected: Static MAC addresses configured on one or more ports
Please remove Static MAC addresses before enabling dot1x
xxxxxxxx(config-if)#

This isssue is on multiple switches and multiple ports

Port Name Status Reason
Gi1/6 err-disabled security-violation
Gi1/8 err-disabled security-violation
Gi1/10 err-disabled security-violation
Gi1/12 err-disabled security-violation
Gi1/17 err-disabled security-violation
Gi1/24 err-disabled security-violation
Gi1/29 err-disabled security-violation
Gi1/31 err-disabled security-violation
Gi1/34 err-disabled security-violation
Gi1/39 err-disabled security-violation
Gi1/40 err-disabled security-violation
Gi1/45 err-disabled security-violation
Gi2/15 err-disabled security-violation
Gi2/25 err-disabled security-violation
Gi2/35 err-disabled security-violation
Gi2/45 err-disabled security-violation
Gi3/12 err-disabled security-violation
Gi3/13 err-disabled security-violation
Gi3/17 err-disabled security-violation
Gi3/22 err-disabled security-violation
Gi3/25 err-disabled security-violation
Gi3/32 err-disabled security-violation
Gi4/15 err-disabled security-violation

LEEroy
MCNE6,CCNP,CWNA,CCSA,Project+
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
212
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
570
nt8d09
nt8d09
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
304
CPM86
CPM86
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
565
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
537
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top