cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1651
Views
8
Helpful
8
Replies

port-security and limited connectivity

Wassim Aouadi
Level 4
Level 4

Hi,

I activated port-security on a switch, with the following commands:

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security

switchport port-security mac-address sticky

Everything is fine until I receive complaints about absence of connectivity on computers. IP phones still have connectivity.

Configuration is the following: PCs connect to network through Cisco phones.

the problem seems to be solved once we issue a "shut/no shut" on the port. Before that, I always ensure that there's no security violation.

any idea?

1 Accepted Solution

Accepted Solutions
8 Replies 8

andrew.prince
Level 10
Level 10

I suggest you capture traffic on the switchport to determine how many mac addresses the port is actually seeing or you could just increase the maximum to 3 as a test....

HTH>

Andrew,

I only see two MAC addresses on the port, before activating port-security. Then, I enable port-security. IP phone still works. But the desktop does not have network connectivity.

Antonio Knox
Level 7
Level 7

I'd like to understand you port security intentions.  Did you want to have two TOTAL mac-addresses or two access mac-addresses.  I find it best practice in a voice environment to define maximum mac-addresses for voice and access individually:

no switchport port-security maximum 2

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

This will give you more control over what TYPES of mac-addresses the port should allow.  And it may clear up your issue as well.

Hope that helps.

Antonio,

I only want one MAC address on the access vlan, and one MAC address for the voice vlan.

I did as you mentioned, but I got a syslog message:

interface FastEthernet1/0/6

description --user--

switchport access vlan 323

switchport mode access

switchport voice vlan 2222

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

priority-queue out

mls qos trust cos

spanning-tree portfast

spanning-tree bpduguard enable

end

TNSWAGCS01112(config-if)#

TNSWAGCS01112(config-if)#

*Aug 12 03:27:45.504: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 9caf.caff.62fd on port FastEthernet1/0/6.

TNSWAGCS01112(config-if)#

TNSWAGCS01112(config-if)#

The MAC address that caused the violation is indeed the IP phone MAC address. In fact, when I add "switchport port-sec maximum 2", things get back to normal, and no more security violation messages appear:

TNSWAGCS01112(config-if)#switchport por

TNSWAGCS01112(config-if)#switchport port-security max 2

TNSWAGCS01112(config-if)#

TNSWAGCS01112#

TNSWAGCS01112#sh port-sec int fa1/0/6

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Restrict

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 2

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 9caf.caff.62fd:2222

Security Violation Count   : 10

TNSWAGCS01112#

TNSWAGCS01112#

TNSWAGCS01112#sh mac add int fa1/0/6

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

323    7071.bc60.6f22    STATIC      Fa1/0/6

2222    9caf.caff.62fd    STATIC      Fa1/0/6

Total Mac Addresses for this criterion: 2

TNSWAGCS01112#

TNSWAGCS01112#

I think Port-Security "needs" to know how many total MACs are allowed on the port, in addition to how many on access vlan and how many on voice vlan.

any idea?

Raise your maximum to 3.  See below with regards to Voice Vlan:

It's in Table 25-3 (Voice VLAN port4 ), it's the fine print, but it's there.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swtrafc.html#wp1038546

"4You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN."

Hope that helps.

Message was edited by: Antonio Knox

I understand that IP phone traffic -in the voice vlan- needs two MAC addresses by itself, right?

That is correct.

I implemented that way. I tested it with two IP phones. The second one could not get an IP address, since Sticky has learned a previous MAC and we limited the maximum number of MACs on voice vlan to 1.

I  guess it works Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco