cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2506
Views
10
Helpful
4
Replies

Cisco Switch with port security issues

I have a Cisco Switch 2960 and the ports has the following configuration:

 

interface GigabitEthernet4/0/6 !(Yealink Port)

description *** Desktop Comum ***

switchport access vlan 106

switchport mode access

switchport voice vlan 206

switchport port-security maximum 3

switchport port-security violation  restrict

switchport port-security

ip arp inspection limit rate 25

priority-queue out

mls qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

spanning-tree guard root

service-policy input LOGICALIS_MMSO

ip dhcp snooping limit rate 25

 

When I move just a PC between two ports there is no problems, but when the first port is the PC Port in the Yealink IP Phone, that port locks the PC MAC address and the second port that I connect in the PC  is blocked with the following message:

 

Jan  8 10:33:26.791: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 847b.ebe6.29c5 on port GigabitEthernet4/0/13 (Second Port)

 

When I apply ‘shut’ and ‘no shut’ in the port whre is connect the Yealink, the PC MAC in this port unlink and the PC works in o second port.

 

Do you have any idea what it might be?

1 Accepted Solution

Accepted Solutions

Matt Delony
Cisco Employee
Cisco Employee

Hello pedro.miranda@la.logicalis.com,

 

Please correct me if I'm wrong, but I believe this is what you are saying:

  • If you connect a PC directly to switchport 1 and then move it to switchport 2, no issue
  • you connect a PC to IP phone, then connect IP phone to switchport 1. Then you move PC to switchport 2 directly connected and it causes port-security violation

 

The first situation would be okay, because when you disconnect PC from switchport 1, the switchport goes to down/down state and deletes all mac addresses from the switchport interface. Then when you connect PC to switchport 2, the mac address of PC is learned new again.

 

In the second situation, the PC mac address is learned by switchport 1 when you connect PC to the IP phone. When you disconnect PC from IP phone, the switchport 1 never goes to down/down state since IP phone is still connected. When you connect PC to switchport 2, its mac address is still associated with switchport 1. This causes port-security violation because mac move is not allowed with port-security enabled ports.

 

To avoid this situation, you can set port-security aging time so that PC mac address gets deleted from interface after certain amount of time. If you are using a Cisco IP phone, some models support a feature called "CDP enhancement for 2nd port disconnect" (reference). This would clear the mac address immediately as switch would see PC port was disconnected from CDP advertisement that phone had sent.

 

Let me know if this information helps.

View solution in original post

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

For testing, does the port behave the same way if you remove port security?

 

no switchport port-security maximum 3

no switchport port-security violation  restrict

no switchport port-security

 

HTH

Matt Delony
Cisco Employee
Cisco Employee

Hello pedro.miranda@la.logicalis.com,

 

Please correct me if I'm wrong, but I believe this is what you are saying:

  • If you connect a PC directly to switchport 1 and then move it to switchport 2, no issue
  • you connect a PC to IP phone, then connect IP phone to switchport 1. Then you move PC to switchport 2 directly connected and it causes port-security violation

 

The first situation would be okay, because when you disconnect PC from switchport 1, the switchport goes to down/down state and deletes all mac addresses from the switchport interface. Then when you connect PC to switchport 2, the mac address of PC is learned new again.

 

In the second situation, the PC mac address is learned by switchport 1 when you connect PC to the IP phone. When you disconnect PC from IP phone, the switchport 1 never goes to down/down state since IP phone is still connected. When you connect PC to switchport 2, its mac address is still associated with switchport 1. This causes port-security violation because mac move is not allowed with port-security enabled ports.

 

To avoid this situation, you can set port-security aging time so that PC mac address gets deleted from interface after certain amount of time. If you are using a Cisco IP phone, some models support a feature called "CDP enhancement for 2nd port disconnect" (reference). This would clear the mac address immediately as switch would see PC port was disconnected from CDP advertisement that phone had sent.

 

Let me know if this information helps.

Hello


@Matt Delony wrote:

 

"CDP enhancement for 2nd port disconnect" (reference).


Very useful  Matt cheers for sharing


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Matt,

 

Thank you very much for your explanation. 

 

The command port-security agin port-security aging time solved the problem. 

 

Have a nice day!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: