Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
0
Helpful
11
Replies

3560 Access Issue for some users

merittvlgrp
Level 1
Level 1

‎01-17-2013 12:16 PM - edited ‎03-07-2019 11:09 AM

I have a couple of users who randomly can't get access to any resources.  The port they connect to doesn't have port security, the have an IP phone and PC.  IP phone is fine since it's always on the same port.  There PC get's an IP from DHCP (DHCP is on a windows server) but they can't ping any devices nor can I ping the PC from the switch.  I checked if there were any mac access filters applied on the switch (and there aren't any).  The log doesn't show any events on the ports in question so I don't know if the switch is going or there is a config issue some.  Doesn't happen to all users, just 1 or 2.

Can someone provide some adivse on what else I can check?

Thank you.

Labels:
0 Helpful
11 Replies 11

ALIAOF_
Level 6
Level 6

‎01-17-2013 12:29 PM

What does your port config looks like, what kind of IP Phones do you have?  And just to confirm IP phone connects to the switch and PC is connecting to the IP phone right?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎01-17-2013 12:31 PM

Hi,

could you post the ipconfig of these 2 hosts as well as arp -a output

also post the switch config and tell us on which port they are located and where the dhcp server is located.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

merittvlgrp
Level 1
Level 1
In response to cadet alain

‎01-17-2013 12:59 PM

Thanks for the quick reply.  Here is the config of the port in question (port security is off).

description

switchport access vlan 10

switchport mode access

switchport voice vlan 11

switchport port-security maximum 2

switchport port-security mac-address sticky

ip arp inspection trust

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

priority-queue out

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

macro description cisco-phone | cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

end

Mac Access List for this port;

Interface FastEthernet2/0/33:

   Inbound access-list is not set

   Outbound access-list is not set

If the user moves to another port it works, and when they come back to their desk, it then works.   They connect the PC behind an IP Phone (Avaya phone).  When the PC connects, I don't see the MAC address listed for the PC on that interface, I only see the Phone MAC address (the vlan numbers are fictitious).

We do have port security enabled (which would certainly behave differently than this issue)on other ports but not this one.

0 Helpful

ALIAOF_
Level 6
Level 6
In response to merittvlgrp

‎01-17-2013 01:14 PM

Do you have port security setup on all the other ports just like this?  Also these users having issues 1 or 2.  Do they by any chance have any VM's running on their desktops or laptops?

0 Helpful

merittvlgrp
Level 1
Level 1
In response to ALIAOF_

‎01-17-2013 01:20 PM

Yes we have port security setup on other ports.  This user (for example) uses our boardroom a lot which has port security.  Since you can't enter the same mac on more than one port, this user's MAC is in the port security of our boardroom port but not on this one (their desk).   When this issue happens, if the user takes the laptop to the boardroom (port which has port security), they connect successfully.  Then if they take it back to their desk (after connecting successfuly to the boardroom),  it works.   I can show the config of the "boardroom port" if needed.

0 Helpful

ALIAOF_
Level 6
Level 6
In response to merittvlgrp

‎01-17-2013 02:14 PM

I think the issue is user moving around.  Try to hard code his mac addres on the two ports or take out the sticky option because once the user moves you have to clear the mac off the old port.  And see if that resolves the issue.

0 Helpful

merittvlgrp
Level 1
Level 1
In response to ALIAOF_

‎01-17-2013 02:26 PM

What's the best method?  Are you referring to entering a static mac entry (i.e mac-address-table static 12ab.47dd.ff89 vlan 3 interface ethernet 2/1) ?

0 Helpful

network_guy
Level 1
Level 1
In response to merittvlgrp

‎01-17-2013 05:42 PM

The command is switchport port-security mac-address xxxx.xxxx.xxxx. That way it shouldn't block access from the port that has sticky on it.

0 Helpful

merittvlgrp
Level 1
Level 1
In response to network_guy

‎01-17-2013 06:25 PM

This switchport port-security mac-address xxxx.xxxx.xxxx won't work since the MAC is alread configred under the port security in the "boardroom".    Port security is great for devices that don't move around.

0 Helpful

Matthew Matheus
Level 1
Level 1
In response to merittvlgrp

‎01-17-2013 04:00 PM

I think your issue is that the user's mac address is held in port-security on the boardroom, which may be holding the entry in the MAC address table, and not allowing it to be removed when the user changes location.  Things like these are why we are trying to get away from port-security and implement 802.1x for access security.

0 Helpful

edondurguti
Level 4
Level 4

‎01-17-2013 08:59 PM

Try removing the sticky command when the user moves.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents