05-02-2006 08:35 AM - edited 03-03-2019 03:02 AM
Greetings,
In the docs it indicates that you cannot have port security on a trunk port. I was wondering if this was absolutley true as I was wanting to secure some of our ip phone switch ports but alas they are trunk ports. I would appreciate any help.
Thank you,
Daven
05-02-2006 09:59 AM
Daven,
I believe that's not true. You can enable port security on a trunk.
See the quote from CCO below pertaining to access/voice vlan configured on a switchport.
"When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two secure addresses. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. You cannot configure port security on a per-VLAN basis"
You didn't mention what type of switch you are using. Here's another URL for configuring port security on 6500 switches.
Pls. rate the post if it helped.
HTH,
Sundar
05-03-2006 03:37 AM
Greetings Sundar,
Thank you for the reply, I'm using a 3550 switch, When I try to enable port security, the command is rejected "you cannot enable port security on a trunk" is the rejection message, but yes, I am trying to enable security on a switch that has both data and voice vlans configured. If I am using the wrong command, "int fastethernet0/5, port-security ...." have any suggestions?
05-03-2006 07:02 AM
What type of IP phones are they? If they are Cisco, what model? On a 3550, you can use the "switchport voice vlan" command along with the "switchport access vlan" command to separate the voice and data traffic without having to use a trunk. This would, however, depend on the phone you are using. Then, since the port would be an access port, you could apply port-security to it.
05-04-2006 03:28 AM
Thanks for the reply. They are Cisco 7970 phones, so you are saying that by using the "switchport voice vlan" it automatically "tells" the switch to trunk voice and data seperately? Interesting. Does it work on the 7970?
05-04-2006 03:35 AM
Hi Friend,
When you connect IP Phones to switch and configure voice vlan command it internally forms a trunk so no special trunk configuration in required.
Have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/swvoip.htm#wp1030836
Cisco does not allow you to configure port security in trunk ports cause trunk ports may learn many mac addresses which will defeat the use of port security feature so when you connect ip phones and want port security feature so not configuer ports as trunk and instaed configure as voice vlan for voice traffic and also configuer the same port with access vlan for data traffic.
However there was some issue noted with 7970 ip phones where Phone does not stream out PC Port when Voice VLAN access enabled which was noted in bug CSCec75806 but is been resolved now.
http://www.cisco.com/en/US/products/hw/phones/ps379/prod_release_note09186a00801f7032.html
HTH, if yes please rate the post.
Ankur
05-05-2006 10:29 AM
How about you're not using the IP phone from cisco prod? let say you're using polycom/avaya...
thanks!
05-05-2006 10:36 AM
good thing avaya phones do not require an explicit dot1q trunk. I have thousands of avaya phones running on my cisco network with aux/voice vlan configurations:
sample:
interface FastEthernet0/2
description to IP phone and PC
switchport access vlan 2
switchport voice vlan 3
mls qos vlan-based
no cdp enable
spanning-tree portfast
11-23-2009 05:02 PM
Sorry to bring up an old thread. I am currently trying to resolve the same problem. At one of our offices I have an HP 2950-48 (12.1(22)EA8a)
We recently installed a mitel 3300 phone system with Mitel 5330 IP Phones. I would like to setup port security but was running into the same message that I could not enable port security on a trunk port.
Reading this thread I changed the port configuration accordingly:
interface FastEthernet0/30
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
What is confusing me is that when I enter "Switchport mode access vlan 1" it does not appear in the config, instead it just shows "Switchport mode access." Does this matter? Should this still work?
Any thoughts or suggestions are greatly appreciated.
11-26-2009 01:16 AM
By default, all the ports are in the vlan 1 thats why its not shown in the configuration. even you
configure it for vlan 1. if you configure the port for another vlan, it will show up in the config
uration.
11-30-2009 10:48 AM
t4tauseef33,
That makes complete sense, thank you. That answered my portion of this question.
PW
12-20-2009 05:08 PM
guys try this config will be useful using tunk port with port security
int fax/x
switchport mode trunk
switchport port-security
switchport port-security mximum 2
switchport port-security mximum 1 vlan 5
switchport port-security mximum 1 vlan 1
lets say you have trunk with vlan 1 nad 5 this config will make the max mac address to 2 and 1 per valn as well
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide