Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2314
Views
0
Helpful
11
Replies

Mac based security on 3560E

Go to solution
love4u.pratik
Beginner
Beginner

‎08-16-2010 02:44 AM - edited ‎03-06-2019 12:29 PM

Hello,

               I am having all 3560E as my edge switches. All the ports are having IP phones connected and PCs are connected to IP phones. I was looking forward to implement port based security.

              First of all is it a good practice to MAC based security in such environment ? Second are there any other options to make ports more secure ? Right now the ports are dynamic when i changed them to static with "switchport mode access" and gave commands like "switchport port-security" and "switchport port-security maximum 2" the port was shutdown and i there was no LED on it.

              Please suggest.

Regards,

Pratik Mavani

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Collin Clark
Advisor
Advisor
In response to steve

‎08-16-2010 06:52 AM

That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).

View solution in original post

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to love4u.pratik

‎08-17-2010 06:19 AM

Hello,

What code version you are running on the switch? In some of the older code

versions, the switch will learn the IP Phone MAC address both in data VLAN

as well as voice VLAN. When the IP Phone boots up, it will not know anything

about the Voice VLAN. Hence, it just comes up as a regular host and sends

untagged packets towards the switch. Switch will receive it in the native

VLAN and then handles it accordingly. The IP Phone will get an IP in the

data VLAN range first and then contacts the TFTP server for IP Phone

configuration. Once it downloads the configuration and realizes the voice

VLAN, it disassociates itself from the data VLAN and sends a new DHCP

request (tagged) on the voice VLAN. In the latest code (fixed) the switch

will remove the IP Phone MAC address association from the Data VLAN.

However, in the older code, the switch will not delete the MAC address from

the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP

Phone and one for the PC). So, it is OK to set the limit to 3 as long as the

duplicate MAC is of the IP Phone alone.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
11 Replies 11