06-21-2011 02:42 AM - edited 03-07-2019 12:54 AM
Hi,
I activated port-security on a switch, with the following commands:
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security
switchport port-security mac-address sticky
Everything is fine until I receive complaints about absence of connectivity on computers. IP phones still have connectivity.
Configuration is the following: PCs connect to network through Cisco phones.
the problem seems to be solved once we issue a "shut/no shut" on the port. Before that, I always ensure that there's no security violation.
any idea?
Solved! Go to Solution.
06-21-2011 09:35 AM
That is correct.
06-21-2011 03:40 AM
I suggest you capture traffic on the switchport to determine how many mac addresses the port is actually seeing or you could just increase the maximum to 3 as a test....
HTH>
06-21-2011 06:18 AM
Andrew,
I only see two MAC addresses on the port, before activating port-security. Then, I enable port-security. IP phone still works. But the desktop does not have network connectivity.
06-21-2011 04:51 AM
I'd like to understand you port security intentions. Did you want to have two TOTAL mac-addresses or two access mac-addresses. I find it best practice in a voice environment to define maximum mac-addresses for voice and access individually:
no switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
This will give you more control over what TYPES of mac-addresses the port should allow. And it may clear up your issue as well.
Hope that helps.
06-21-2011 06:34 AM
Antonio,
I only want one MAC address on the access vlan, and one MAC address for the voice vlan.
I did as you mentioned, but I got a syslog message:
interface FastEthernet1/0/6
description --user--
switchport access vlan 323
switchport mode access
switchport voice vlan 2222
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
priority-queue out
mls qos trust cos
spanning-tree portfast
spanning-tree bpduguard enable
end
TNSWAGCS01112(config-if)#
TNSWAGCS01112(config-if)#
*Aug 12 03:27:45.504: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 9caf.caff.62fd on port FastEthernet1/0/6.
TNSWAGCS01112(config-if)#
TNSWAGCS01112(config-if)#
The MAC address that caused the violation is indeed the IP phone MAC address. In fact, when I add "switchport port-sec maximum 2", things get back to normal, and no more security violation messages appear:
TNSWAGCS01112(config-if)#switchport por
TNSWAGCS01112(config-if)#switchport port-security max 2
TNSWAGCS01112(config-if)#
TNSWAGCS01112#
TNSWAGCS01112#sh port-sec int fa1/0/6
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 9caf.caff.62fd:2222
Security Violation Count : 10
TNSWAGCS01112#
TNSWAGCS01112#
TNSWAGCS01112#sh mac add int fa1/0/6
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
323 7071.bc60.6f22 STATIC Fa1/0/6
2222 9caf.caff.62fd STATIC Fa1/0/6
Total Mac Addresses for this criterion: 2
TNSWAGCS01112#
TNSWAGCS01112#
I think Port-Security "needs" to know how many total MACs are allowed on the port, in addition to how many on access vlan and how many on voice vlan.
any idea?
06-21-2011 07:55 AM
Raise your maximum to 3. See below with regards to Voice Vlan:
It's in Table 25-3 (Voice VLAN port4 ), it's the fine print, but it's there.
"4You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN."
Hope that helps.
Message was edited by: Antonio Knox
06-21-2011 09:23 AM
I understand that IP phone traffic -in the voice vlan- needs two MAC addresses by itself, right?
06-21-2011 09:35 AM
That is correct.
06-22-2011 01:58 AM
I implemented that way. I tested it with two IP phones. The second one could not get an IP address, since Sticky has learned a previous MAC and we limited the maximum number of MACs on voice vlan to 1.
I guess it works Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: