Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
4
Replies

Cat 4500 loses some port-security config.

Go to solution
Kevin Dorrell
Level 10
Level 10

‎01-10-2011 02:38 AM - edited ‎03-06-2019 02:54 PM

Hi everyone ... long time away!

I am seeing some strange behaviour of port security on a 4500 running 12.2(53)SG3 (and previous versions also).

I have switchports configured as voice/access, with the intention that we can connect phones alone, or PCs alone, or phone+PC.  The configuration is designed so that it does the job for all 3 cases.  I want to limit the number of MAC addresses on the access VLAN to 1, and the number of MAC addresses on the voice VLAN to 1.  This is the config I use:

interface FastEthernet2/3
switchport access vlan <PC-VLAN>
switchport mode access
switchport voice vlan <voice-vlan>
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity

etc etc

Note: no sticky!

(I am using Siemens phones that are hard-configured onto the voice VLAN, so I do not need to allow a third MAC address.)

Now the strange behaviour is this: if I bump the port (for example if I have just a PC connected and I reboot the PC), then the two lines restricting the MAC count per VLAN disappear from the config.

interface FastEthernet2/3
switchport access vlan 100
switchport mode access
switchport voice vlan 235
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
 switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity

etc etc

This means that there is no longer anything to prevent the user (who does not have a phone) from connecting a dumb switch with 2 PCs, or even to maliciously injecting an extra MAC address into the switching table.

Has anyone else ever seen this?

Kevin Dorrell

Luxembourg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Kevin Dorrell

‎01-10-2011 05:21 AM

Hello Kevin,

Happy New Year!

in documentation in config guide for 12.2(53) in the link I had provided.

I haven't tried in a real switch

I agree that this looks like a SW bug as the command looks like accepted, but then removed after the port changes state to down and then to up

So I would open a service request if this is impacting on your network environment

I have seen in the past also issues with 802.1X and VOIP phones here in the forums (either attempting to use 802.1X for the phones, or using some form of guest vlan/bypass for them)

Hope to help

Giuseppe

PS: your italian is still good!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-10-2011 03:57 AM

Hello Kevin,

also when I tested port security the command was given without specifying a vlan

when a limit per vlan has been added ?

I agree it could be handy

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/53SG/configuration/port_sec.html#wp1070234

I see the vlan option when using sticky, but not when specifying the maximum number of MAC address

Hope to help

Giuseppe

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10
In response to Giuseppe Larosa

‎01-10-2011 05:07 AM

Ciao Giuseppe, e grazie della risposta.

It is strange that it actually accepts the "per vlan" commands, and apparently applies them, but that they disappear whenever the port is bumped.  I don't want to make the MAC addresses sticky because I want the PC support team to be able to replace a PC without having to phone me up to clear down the port security.  (That is which I have an inactivity aging time of only 1 minute).  But I do want to ensure that the user cannot plug other stuff on the access vlan in parallel with his official PC.

I did try the two "per vlan" commands without the global maximum of 2, but of course that allowed only one device on the port, a PC or a phone.

I cannot really see why the two config lines should disappear like that.  I don't really want to have to open a TAC case for something so trivial, but as far as I can see, it looks like a bug.  What do you think?

You say you see the per-vlan option only with the sticky option ... do mean in the documentation, or have you actually tried it on a real switch?  In my switches it allows me to configure it, but loses it whenever the port is bumped.

Kevin Dorrell

Luxembourg

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Kevin Dorrell

‎01-10-2011 05:21 AM

Hello Kevin,

Happy New Year!

in documentation in config guide for 12.2(53) in the link I had provided.

I haven't tried in a real switch

I agree that this looks like a SW bug as the command looks like accepted, but then removed after the port changes state to down and then to up

So I would open a service request if this is impacting on your network environment

I have seen in the past also issues with 802.1X and VOIP phones here in the forums (either attempting to use 802.1X for the phones, or using some form of guest vlan/bypass for them)

Hope to help

Giuseppe

PS: your italian is still good!

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10
In response to Giuseppe Larosa

‎01-10-2011 05:31 AM

OK, Giuseppe, I'll open a case then.  I'l post back if I get a response.

Ciao,

Kevin Dorrell

Luxembourg

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card