Port Security Issue

Ayman Najdi · ‎04-11-2018

Hello,

I have a POE Switch C2960X Software (C2960X-UNIVERSALK9-M), Version 15.2(2)E5. I have configured on a certain port voice and access VLAN. I have a cisco phone connected to this port and a PC connected to the IP phone. I also configured port security based on sticky mac-addresses.

Following is the configuration:

interface GigabitEthernet1/0/4
switchport access vlan 21
switchport mode access
switchport voice vlan 60
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-address sticky
switchport port-security mac-address sticky 7427.ea66.4875
switchport port-security mac-address sticky 0027.9081.1224 vlan voice
switchport port-security
spanning-tree portfast
end

The problem is as following, when setting the port-security maximum to '2' which i'm assuming is mandatory in my case to handle two devices on the same port, I tried to plug another PC and then the MAC value '7427.ea66.4875' was overridden by a new MAC belonging to the new PC. No violation was triggered! the new PC gained access over the network normally, this contradicts the entire concept of port-security. How can i overcome this security gap? Am i configuring something wrong? Is there any suggested best practice for configuring port-security over a physical port hosting two devices (IP phone & PC) in different Vlans (Voice and access) ?

Thanks,

Larry Sullivan · ‎04-11-2018

Cancel

Deepak Kumar · ‎04-12-2018

Hi,

Please check what is volition available on the port? As I know that default volition is "Shutdown".

show port-security interface GigabitEthernet1/0/4

Try with "switchport port-security violation {restrict | shutdown}" command under the interface.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Ayman Najdi · ‎04-12-2018

Hi, Thanks for your input,

I issued the show command. It shows that the violation mode is shutdown, I believe this is the default behavior without needing to define it. I tried issuing all kinds of violations and still getting the same result, nothings happens except the new MAC address overwrites the old one. Very weird :(

Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 2
Last Source Address:Vlan   : 701f.5387.335f:60
Security Violation Count   : 0

Deepak Kumar · ‎04-12-2018

Hi,

is there any error disable recovery configured?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Ayman Najdi · ‎04-13-2018

errdisable recovery is not configured

HO-Switch-112(config)#do sh errdisable recovery
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
channel-misconfig (STP)      Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
link-flap                    Disabled
mac-limit                    Disabled
loopback                     Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
pppoe-ia-rate-limit          Disabled
psecure-violation            Disabled
security-violation           Disabled
sfp-config-mismatch          Disabled
small-frame                  Disabled
storm-control                Disabled
udld                         Disabled
vmps                         Disabled
psp                          Disabled
dual-active-recovery         Disabled
evc-lite input mapping fa    Disabled
Recovery command: "clear     Disabled