Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
0
Helpful
3
Replies

Port-Security Not Allowing Computers to Directly Connect to Voice/Access Ports

trent.robertson
Level 1
Level 1

‎04-29-2017 08:07 PM - edited ‎03-17-2019 10:11 AM

Hi,

I have a Catalyst 2960 switch that has several ports configured as follows:


switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone

When I plug a voip phone into the port, and computer into the phone, everything works as expected. If I plug a printer into the port, the printer works just fine as well. The problem comes when I plug any computer directly into the port. The port security gets triggered and shuts the port down. We have a server where this happened as well.

This is the first time I've set up a network with voip phones and such, so this is pretty knew to me. I would ideally like for a port to accept any computer/phone combination, or a computer directly without triggering the port security. I do, however, like the port security feature where if I unplug a computer and plug another in its place, that it shuts down. I would like to keep that feature if I could.

Thanks in advance for your help!

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎04-30-2017 02:54 AM

Enable term moni and connect the computer then look for the syslog message generated. It will include the reason for going into err-disable state. This will help

0 Helpful

trent.robertson
Level 1
Level 1
In response to Mohammed al Baqari

‎04-30-2017 01:08 PM

Turning off port-security fixed the issue:

no switchport port-security

Now my configuration looks like this:

switchport access vlan 10
switchport mode access
switchport voice vlan 20
switchport port-security maximum 2
switchport port-security aging time 2
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone

What did I lose from a security standpoint by turning off port-security?

0 Helpful

D_Lebedev
Level 3
Level 3

‎05-01-2017 12:40 AM

Hi,

Try make changes as described.

https://support.microsoft.com/en-us/help/219374/how-to-disable-the-gratuitous-arp-function

https://technet.microsoft.com/en-us/library/cc957526.aspx?f=255&MSPPError=-2147217396

And

Disable APIPA on All but One Network Adapter

  1. Use Registry Editor to create the following registry key, where <var>adapter name</var> is the name of the Dynamic Host Configuration Protocol (DHCP) configured adapter where you want to disable APIPA:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\<var>adapter name</var>
  2. Add the following value to this key:
    Value name: IPAutoconfigurationEnabled
    Value type: REG_DWORD
    Value in hexadecimal: 0 (A value of 0 disables APIPA support on this adapter)
    NOTE: If the IPAutoconfigurationEnabled entry is not present, a default value of 1 is assumed, which indicates that APIPA is enabled.
  3. After you make this change, restart your computer.

Hope it helps.

0 Helpful
Customers Also Viewed These Support Documents