01-10-2011 02:38 AM - edited 03-06-2019 02:54 PM
Hi everyone ... long time away!
I am seeing some strange behaviour of port security on a 4500 running 12.2(53)SG3 (and previous versions also).
I have switchports configured as voice/access, with the intention that we can connect phones alone, or PCs alone, or phone+PC. The configuration is designed so that it does the job for all 3 cases. I want to limit the number of MAC addresses on the access VLAN to 1, and the number of MAC addresses on the voice VLAN to 1. This is the config I use:
interface FastEthernet2/3
switchport access vlan <PC-VLAN>
switchport mode access
switchport voice vlan <voice-vlan>
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
etc etc
Note: no sticky!
(I am using Siemens phones that are hard-configured onto the voice VLAN, so I do not need to allow a third MAC address.)
Now the strange behaviour is this: if I bump the port (for example if I have just a PC connected and I reboot the PC), then the two lines restricting the MAC count per VLAN disappear from the config.
interface FastEthernet2/3
switchport access vlan 100
switchport mode access
switchport voice vlan 235
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
etc etc
This means that there is no longer anything to prevent the user (who does not have a phone) from connecting a dumb switch with 2 PCs, or even to maliciously injecting an extra MAC address into the switching table.
Has anyone else ever seen this?
Kevin Dorrell
Luxembourg
Solved! Go to Solution.
01-10-2011 05:21 AM
Hello Kevin,
Happy New Year!
in documentation in config guide for 12.2(53) in the link I had provided.
I haven't tried in a real switch
I agree that this looks like a SW bug as the command looks like accepted, but then removed after the port changes state to down and then to up
So I would open a service request if this is impacting on your network environment
I have seen in the past also issues with 802.1X and VOIP phones here in the forums (either attempting to use 802.1X for the phones, or using some form of guest vlan/bypass for them)
Hope to help
Giuseppe
PS: your italian is still good!
01-10-2011 03:57 AM
Hello Kevin,
also when I tested port security the command was given without specifying a vlan
when a limit per vlan has been added ?
I agree it could be handy
see
I see the vlan option when using sticky, but not when specifying the maximum number of MAC address
Hope to help
Giuseppe
01-10-2011 05:07 AM
Ciao Giuseppe, e grazie della risposta.
It is strange that it actually accepts the "per vlan" commands, and apparently applies them, but that they disappear whenever the port is bumped. I don't want to make the MAC addresses sticky because I want the PC support team to be able to replace a PC without having to phone me up to clear down the port security. (That is which I have an inactivity aging time of only 1 minute). But I do want to ensure that the user cannot plug other stuff on the access vlan in parallel with his official PC.
I did try the two "per vlan" commands without the global maximum of 2, but of course that allowed only one device on the port, a PC or a phone.
I cannot really see why the two config lines should disappear like that. I don't really want to have to open a TAC case for something so trivial, but as far as I can see, it looks like a bug. What do you think?
You say you see the per-vlan option only with the sticky option ... do mean in the documentation, or have you actually tried it on a real switch? In my switches it allows me to configure it, but loses it whenever the port is bumped.
Kevin Dorrell
Luxembourg
01-10-2011 05:21 AM
Hello Kevin,
Happy New Year!
in documentation in config guide for 12.2(53) in the link I had provided.
I haven't tried in a real switch
I agree that this looks like a SW bug as the command looks like accepted, but then removed after the port changes state to down and then to up
So I would open a service request if this is impacting on your network environment
I have seen in the past also issues with 802.1X and VOIP phones here in the forums (either attempting to use 802.1X for the phones, or using some form of guest vlan/bypass for them)
Hope to help
Giuseppe
PS: your italian is still good!
01-10-2011 05:31 AM
OK, Giuseppe, I'll open a case then. I'l post back if I get a response.
Ciao,
Kevin Dorrell
Luxembourg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide