[cisco-voip] dot1x err-disabling ports with phones

Erick Wellnitz ewellnitzvoip at gmail.com
Wed Jun 19 16:10:42 EDT 2013


The vendor listed for that MAC address is Dell.
http://www.coffer.com/mac_find/?string=00%3A21%3A70%3Ac8%3A58%3Acb

Perhaps you have someone or someones trying to plug a laptop into the
phone.  That would explain why the switch sees a second mac and why the
port is put into err-disable and is in single host mode.


On Wed, Jun 19, 2013 at 2:48 PM, <george.hendrix at l-3com.com> wrote:

>  Hey guys,****
>
> ** **
>
>   We have an issue what seems to be mostly on 3560/3750 and older 4500
> switches.  We have not had the issue at all on any phone connected to our
> 4510s with Sup-7 engines.  At random when the phone/client is already
> connected to the switch, the port goes into err-disable.  The ports are in
> single host mode.****
>
> ** **
>
> interface FastEthernet1/0/5****
>
> switchport access vlan 2****
>
> switchport mode access****
>
> switchport voice vlan 3****
>
> srr-queue bandwidth share 10 10 60 20****
>
> srr-queue bandwidth shape 10 0 0 0****
>
> priority-queue out****
>
> authentication event server dead action authorize****
>
> authentication event server alive action reinitialize****
>
> authentication port-control auto****
>
> authentication periodic****
>
> mls qos trust cos****
>
> no snmp trap link-status****
>
> dot1x pae authenticator****
>
> dot1x timeout server-timeout 30****
>
> spanning-tree portfast****
>
> spanning-tree bpduguard enable****
>
> spanning-tree guard loop****
>
> ** **
>
> The error I see in the log before the port goes err-disable is below:****
>
> ** **
>
> Security violation on the interface GigabitEthernet0/23, new MAC address
> (0021.70c8.58cb) is seen.AuditSessionID Unassigned****
>
> security-violation error detected on Gi0/23, putting Gi0/23 in err-disable
> state****
>
> ** **
>
> The switch seems to be treating the phone like a new DATA client.****
>
> ** **
>
> TAC seems to think possibly the phone is not transmitting CDP long enough
> that the switch puts the phone mac address into the DATA group and when it
> does, it err-disables the port.****
>
> ** **
>
> Has anyone else seen this happen with firmware version SCCP 9.3.1.1 on
> 7962 model phones?****
>
> ** **
>
> Thanks,****
>
> Bill ****
>
> ** **
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20130619/fee84282/attachment.html>


More information about the cisco-voip mailing list