01-10-2019 10:27 AM - edited 03-08-2019 05:00 PM
I have a Cisco Switch 2960 and the ports has the following configuration:
interface GigabitEthernet4/0/6 !(Yealink Port)
description *** Desktop Comum ***
switchport access vlan 106
switchport mode access
switchport voice vlan 206
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security
ip arp inspection limit rate 25
priority-queue out
mls qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy input LOGICALIS_MMSO
ip dhcp snooping limit rate 25
When I move just a PC between two ports there is no problems, but when the first port is the PC Port in the Yealink IP Phone, that port locks the PC MAC address and the second port that I connect in the PC is blocked with the following message:
Jan 8 10:33:26.791: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.ebe6.29c5 on port GigabitEthernet4/0/13 (Second Port)
When I apply ‘shut’ and ‘no shut’ in the port whre is connect the Yealink, the PC MAC in this port unlink and the PC works in o second port.
Do you have any idea what it might be?
Solved! Go to Solution.
01-10-2019 12:37 PM
Hello pedro.miranda@l
Please correct me if I'm wrong, but I believe this is what you are saying:
The first situation would be okay, because when you disconnect PC from switchport 1, the switchport goes to down/down state and deletes all mac addresses from the switchport interface. Then when you connect PC to switchport 2, the mac address of PC is learned new again.
In the second situation, the PC mac address is learned by switchport 1 when you connect PC to the IP phone. When you disconnect PC from IP phone, the switchport 1 never goes to down/down state since IP phone is still connected. When you connect PC to switchport 2, its mac address is still associated with switchport 1. This causes port-security violation because mac move is not allowed with port-security enabled ports.
To avoid this situation, you can set port-security aging time so that PC mac address gets deleted from interface after certain amount of time. If you are using a Cisco IP phone, some models support a feature called "CDP enhancement for 2nd port disconnect" (reference). This would clear the mac address immediately as switch would see PC port was disconnected from CDP advertisement that phone had sent.
Let me know if this information helps.
01-10-2019 11:56 AM
For testing, does the port behave the same way if you remove port security?
no switchport port-security maximum 3
no switchport port-security violation restrict
no switchport port-security
HTH
01-10-2019 12:37 PM
Hello pedro.miranda@l
Please correct me if I'm wrong, but I believe this is what you are saying:
The first situation would be okay, because when you disconnect PC from switchport 1, the switchport goes to down/down state and deletes all mac addresses from the switchport interface. Then when you connect PC to switchport 2, the mac address of PC is learned new again.
In the second situation, the PC mac address is learned by switchport 1 when you connect PC to the IP phone. When you disconnect PC from IP phone, the switchport 1 never goes to down/down state since IP phone is still connected. When you connect PC to switchport 2, its mac address is still associated with switchport 1. This causes port-security violation because mac move is not allowed with port-security enabled ports.
To avoid this situation, you can set port-security aging time so that PC mac address gets deleted from interface after certain amount of time. If you are using a Cisco IP phone, some models support a feature called "CDP enhancement for 2nd port disconnect" (reference). This would clear the mac address immediately as switch would see PC port was disconnected from CDP advertisement that phone had sent.
Let me know if this information helps.
01-10-2019 01:54 PM
Hello
@Matt Delony wrote:
"CDP enhancement for 2nd port disconnect" (reference).
Very useful Matt cheers for sharing
01-17-2019 03:10 AM
Hello Matt,
Thank you very much for your explanation.
The command port-security agin port-security aging time solved the problem.
Have a nice day!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide