08-16-2010 02:44 AM - edited 03-06-2019 12:29 PM
Hello,
I am having all 3560E as my edge switches. All the ports are having IP phones connected and PCs are connected to IP phones. I was looking forward to implement port based security.
First of all is it a good practice to MAC based security in such environment ? Second are there any other options to make ports more secure ? Right now the ports are dynamic when i changed them to static with "switchport mode access" and gave commands like "switchport port-security" and "switchport port-security maximum 2" the port was shutdown and i there was no LED on it.
Please suggest.
Regards,
Pratik Mavani
Solved! Go to Solution.
08-16-2010 06:52 AM
That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).
08-17-2010 06:19 AM
Hello,
What code version you are running on the switch? In some of the older code
versions, the switch will learn the IP Phone MAC address both in data VLAN
as well as voice VLAN. When the IP Phone boots up, it will not know anything
about the Voice VLAN. Hence, it just comes up as a regular host and sends
untagged packets towards the switch. Switch will receive it in the native
VLAN and then handles it accordingly. The IP Phone will get an IP in the
data VLAN range first and then contacts the TFTP server for IP Phone
configuration. Once it downloads the configuration and realizes the voice
VLAN, it disassociates itself from the data VLAN and sends a new DHCP
request (tagged) on the voice VLAN. In the latest code (fixed) the switch
will remove the IP Phone MAC address association from the Data VLAN.
However, in the older code, the switch will not delete the MAC address from
the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP
Phone and one for the PC). So, it is OK to set the limit to 3 as long as the
duplicate MAC is of the IP Phone alone.
Hope this helps.
Regards,
NT
08-16-2010 03:20 AM
Hi Pratik,
I'm know next to nothing about IP telephony, but from what I read I wanted to ask if you have configured the switchport security to use sticky addresses? i.e. 'switchport port-security mac-address sticky'
This will in conjunction with your maximum of 2 will learn the first two mac-address the switch sees on the port in question. Otherwise you have to hard-code the mac address.
Just a thought. Also saw this doc which may be of interest to you.
Cheers,
Conor
08-16-2010 06:38 AM
Hi Pratik,
I think Conor has got it nailed. When the "switchport port-security mac-address sticky" command is used, then all MAC addresses dynamically learned on that port are added to the running configuration. As a result, if two old MAC addresses have been learned and you have configured the port for a maximum of two addresses, then the port will error disable.
You can view the status of the port using "show port-security interface" command. If old MAC addresses have been learned use the "clear port-security" command to clear old entries.
Regarding voice - I would usually configure a user port with the following characteristics.
Cheers
Stephen
08-16-2010 06:52 AM
That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).
08-16-2010 10:13 PM
hi collin,
I did the same configuration as described by stephen but when i do it sticky the port gets blocked.
When i read in a cisco guide, it says 802.1x can only be done on point to point ports, that is direct workstations connecting to switch or for wireless. In my scenario i have IP phones connected to switch and machines connected to IP Phones
08-17-2010 01:55 AM
ok i applied the configuration with 3 mac and it is working...
switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/27 2 0 1 Shutdown
Gi0/28 3 2 0 Shutdown
---------------------------------------------------------------------------
but i didn't understood one thing that why i need to keep maximum 3 addresses ? It shows secure address count 2, it learns 2 address, once of PC and one of IP phone i suppose but when i configure max address 2, it shut downs that port. If i keep maximum mac address as 3, which is the 3rd mac address is it the port's mac address ???
08-16-2010 10:11 PM
Stephen if i do the following kind of configuration
and if i do it dynamically learned not sticky, in that case when i connect my phone and computer to a single port, switch learns first two address dynamically now when i remove the PC or phone and any other user connects he also will get the connectivity seamlessly right ? i want to avoid users from moving their latops from one point to another without IT's intervention.
08-17-2010 01:56 AM
Hi Pratik,
If you want to tie the ports down to only the laptop and phone then I would recommend the following.
This should ensure that the first two MAC addresses learnt on the port are the IP phone and the laptop. In addition, it will ensure that nothing else at all can be connected to the switch without IT intervention.
Finally, the access ports configured with a data VLAN and a voice VLAN will still be treated as P2P ports. As a result, you can run 802.1X on them. This is slightly more complicated and requires an external authentication server. However, it offers a more robust solution.
Cheers
Stephen
08-17-2010 02:15 AM
hi stephen,
I actually tried to configure port security on a fresh port. But i still need to keep maximum as 3 mac addresses. First i tired with 2 mac addresses but as soon i connect the port it goes into errdisable state. when i keep maximum as 3 it works fine.
Thanks and Regards,
Pratik Mavani
08-17-2010 06:19 AM
Hello,
What code version you are running on the switch? In some of the older code
versions, the switch will learn the IP Phone MAC address both in data VLAN
as well as voice VLAN. When the IP Phone boots up, it will not know anything
about the Voice VLAN. Hence, it just comes up as a regular host and sends
untagged packets towards the switch. Switch will receive it in the native
VLAN and then handles it accordingly. The IP Phone will get an IP in the
data VLAN range first and then contacts the TFTP server for IP Phone
configuration. Once it downloads the configuration and realizes the voice
VLAN, it disassociates itself from the data VLAN and sends a new DHCP
request (tagged) on the voice VLAN. In the latest code (fixed) the switch
will remove the IP Phone MAC address association from the Data VLAN.
However, in the older code, the switch will not delete the MAC address from
the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP
Phone and one for the PC). So, it is OK to set the limit to 3 as long as the
duplicate MAC is of the IP Phone alone.
Hope this helps.
Regards,
NT
08-17-2010 11:20 PM
Thank you so much NT that was really really helpful. Actually yes, it is showing 2 same MAC address in voice and data VLAN and one MAC address of my PC in Data VLAN
I am running 12.2(35)SE5 on cisco 3560E and IOS is universal-M, so as per your statement i think this could be the reason.
08-17-2010 02:01 AM
Hi Pratik,
If you run the following command it will show you the actual MAC addresses learned on the port - this might tell you what's going on.
#show port-security interface gi 0/27 address
Cheers
Stephen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide