cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9081
Views
15
Helpful
11
Replies

port security on a trunk port 2950

daven.delidle
Level 1
Level 1

Greetings,

In the docs it indicates that you cannot have port security on a trunk port. I was wondering if this was absolutley true as I was wanting to secure some of our ip phone switch ports but alas they are trunk ports. I would appreciate any help.

Thank you,

Daven

11 Replies 11

Daven,

I believe that's not true. You can enable port security on a trunk.

See the quote from CCO below pertaining to access/voice vlan configured on a switchport.

"When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two secure addresses. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. You cannot configure port security on a per-VLAN basis"

Ref URL: http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f377.html

You didn't mention what type of switch you are using. Here's another URL for configuring port security on 6500 switches.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html

Pls. rate the post if it helped.

HTH,

Sundar

Greetings Sundar,

Thank you for the reply, I'm using a 3550 switch, When I try to enable port security, the command is rejected "you cannot enable port security on a trunk" is the rejection message, but yes, I am trying to enable security on a switch that has both data and voice vlans configured. If I am using the wrong command, "int fastethernet0/5, port-security ...." have any suggestions?

What type of IP phones are they? If they are Cisco, what model? On a 3550, you can use the "switchport voice vlan" command along with the "switchport access vlan" command to separate the voice and data traffic without having to use a trunk. This would, however, depend on the phone you are using. Then, since the port would be an access port, you could apply port-security to it.

Thanks for the reply. They are Cisco 7970 phones, so you are saying that by using the "switchport voice vlan" it automatically "tells" the switch to trunk voice and data seperately? Interesting. Does it work on the 7970?

Hi Friend,

When you connect IP Phones to switch and configure voice vlan command it internally forms a trunk so no special trunk configuration in required.

Have a look at this link

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/swvoip.htm#wp1030836

Cisco does not allow you to configure port security in trunk ports cause trunk ports may learn many mac addresses which will defeat the use of port security feature so when you connect ip phones and want port security feature so not configuer ports as trunk and instaed configure as voice vlan for voice traffic and also configuer the same port with access vlan for data traffic.

However there was some issue noted with 7970 ip phones where Phone does not stream out PC Port when Voice VLAN access enabled which was noted in bug CSCec75806 but is been resolved now.

http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a00801f7032.html

HTH, if yes please rate the post.

Ankur

How about you're not using the IP phone from cisco prod? let say you're using polycom/avaya...

thanks!

good thing avaya phones do not require an explicit dot1q trunk. I have thousands of avaya phones running on my cisco network with aux/voice vlan configurations:

sample:

interface FastEthernet0/2

description to IP phone and PC

switchport access vlan 2

switchport voice vlan 3

mls qos vlan-based

no cdp enable

spanning-tree portfast

Sorry to bring up an old thread.  I am currently trying to resolve the same problem.  At one of our offices I have an HP 2950-48 (12.1(22)EA8a)

We recently installed a mitel 3300 phone system with Mitel 5330 IP Phones.  I would like to setup port security but was running into the same message that I could not enable port security on a trunk port.

Reading this thread I changed the port configuration accordingly:

interface FastEthernet0/30
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast

What is confusing me is that when I enter "Switchport mode access vlan 1" it does not appear in the config, instead it just shows "Switchport mode access."  Does this matter?  Should this still work?

Any thoughts or suggestions are greatly appreciated.

By default, all the ports are in the vlan 1 thats why its not shown in the configuration. even you

configure it for vlan 1. if you configure the port for another vlan, it will show up in the config

uration.

t4tauseef33,

That makes complete sense, thank you.  That answered my portion of this question.

PW

guys try this config will be useful using tunk port with port security

int fax/x

switchport mode trunk

switchport port-security

switchport port-security mximum 2

switchport port-security mximum 1 vlan 5

switchport port-security mximum 1 vlan 1

lets say you have trunk with vlan 1 nad 5 this config will make the max mac address to 2 and 1 per valn as well

good luck

if helpful Rate

Review Cisco Networking for a $25 gift card