IBM Server Causing Port Security violation

[goickle]

I have an IBM server that has a broadcom netextreme network card. It is causing a port security violation.

Jan 30 01:43:31: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0014.5e18.f690 on port GigabitEthernet1/0/19. (Bedford2-1)

I have done an ipconfig /all but this MAC address does not show up. I have multiple IBM servers and have port security set to:
interface GigabitEthernet1/0/19
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
For some reason this one file server keeps causing a violation. I am out of ideas.

 

[meneerB]

why use this on server ports?
Normaly you are in control who has access to the serverracks, and not a person from outside with his (unsecure) laptop?
or don't you trust the servers admins? (I'm not trying to offend you, just wondering)

 

[burtsbees]

I agree with meneerB...

You could try a sh mac-address-table, and sh arp, to see. I would also clear the switchport (no form of commands, then re-issue them) and try again, then do a sh mac-address-table to see what MAC appears on that switchport.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[meneerB]

maybe a virus or VMware ESX, with a guest running..?

the manufacturer of the nic can be found with google
(first 6 characters of the macaddress = manufacturer)
maybe that helps troubleshooting

 

[meneerB]

I mean VMWare workstation; MS virtual xx, altough I don't know what OS you are running.

 

[goickle]

The server is a file server running Windows Server 2003 std. It is an IBM xSeries 3650 server. The violation MAC address is very similar to the physical the NIC is using. I have another 12 similar IBM servers that are running with the same port settings and none of them are giving off port violations. The server is running AV software with no alerts. No VMWare. It is just kind of strange that this one server is using another similar but unknown MAC. Is it some sort of virtual MAC for management (BMC, RSA)? Just wondering if anyone else has come across this. My next attempt will be to contact IBM directly and see if they can offer any insight.

 

[meneerB]

hmm,
we use dells DRAC, visible in w2k3 network tab
so that could be, alltough it has it's own nic (maybe daisychaned to the internal nic?)

you can check the mac of the card with ipconfig/all, maybe disable the card helps.

 

[goickle]

I have done an ipconfig /all and the MAC is not listed. It has two NICs. I am unable to disable the spare in Network connections. I can however disable it in device manager. DOes not help. I am inclined to think there is some IBM process like IBM director or something that runs off the same NIC but uses a different MAC.

 

[meneerB]

maybe a hidden adapter?
check device manager, checkmark on for hidden dev.
you cannot see the macaddress, but you can disable the card
ps. can you post the ghost macaddress?

 

[goickle]

0014.5e18.f690
Showing hidden devices shows an adapter called direct parallel. My other IBM servers have this too. Can't really say that is the problem if the other servers are fine.

 

[meneerB]

Hmm, according to the vendor sheet, it's an IBM mac, so probably no software address.
I don't have options left.

if it doesn't matter: I should turn off port security or increment the port sec. from 1 to 2.

 

[goickle]

Port security is set to two already. That is what is strange. Three MACs?

 

[btnet]

switchport port-security maximum 99

Where 99 is the max mac. In your case you could try 4.

Are you doing any sort of load balancing between the two nics? This could be the reason for the seemingly mysterious additional address.