Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5634
Views
5
Helpful
9
Replies

port security mac sticky with IP phone issue

Tai Eric
Level 1
Level 1

‎09-05-2011 03:25 AM - edited ‎03-07-2019 02:02 AM

I have discover there is a issue on port security mac sticky with IP phone. I have applied port security on some switches, with the settings set to accept maximum 2 mac addresses (for IP Phone & PC) per port, to be learned through ‘sticky’, and the violation action is to restrict access. The problem is, after applying port security on IP phone port, when I unplug my laptop to plug to another port on same ssitch, but the laptop couldn't get any connection due to the IPphone is still up and the mac address is learned from IPphone port, not from the new port. Did anybody have any solution for it?

Labels:
0 Helpful
9 Replies 9

mahmoodmkl
Level 7
Level 7

‎09-05-2011 05:12 AM

Hi,

First you need to allow atleast 3 mac-address on the port.

Can you paste the config of the port.

Thanks

0 Helpful

Tai Eric
Level 1
Level 1
In response to mahmoodmkl

‎09-05-2011 08:11 PM

I think it is nothing to do with how many mac -address we allow due to the issue is the mac address would never timeout on port security switch port.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎09-05-2011 05:36 AM

Hi,

By default secure dynamic addresses have an absolute  aging time of 0 which means they never expire and so you must set the aging time to inactivity with an aging time of 1 minute and then after one minute of inactivity from the laptop the addresses will be aged out on the first port and you can put it on another port .

int fx/x

switchport port-security aging  time 1

switchport port-security aging  type inactivity

Regards.

Alain.

Don't forget to rate helpful posts.

Tai Eric
Level 1
Level 1
In response to cadet alain

‎09-05-2011 08:17 PM

Hi cadet,

Thanks for the reply, i did try for these command, but I found that the mac address table on the switch port would never timeout even there is no traffic to the port.

I found the weird behaiour is my laptop mac address was shown on switch mac address table once the port status is physically up even before I intial any traffic and never timeout out.

For non port security configured switch port , the mac address will only be shown after any traffic were initialled. The mac address will be time out on mac address table after it exceed mac address aging time.

0 Helpful

Tai Eric
Level 1
Level 1
In response to Tai Eric

‎09-06-2011 03:03 AM

Hi Cashqoo,

Thanks for the advise.

I have found a workaround due to the port security mac address table aging doesn;t work on sticky mac address, but it is working on static mac address. I have added configuration as below and changed all the sticky learned mac address to static mac, even this is a bit troublesome and 1 minute aging time is satisfied by all party, but it seem there is no other better solution for running port secure mac address behind a IPphone switchport for the time being.

switchport port-security aging time 1  

switchport port-security aging type inactivity 

switchport port-security aging static  

0 Helpful

Tai Eric
Level 1
Level 1
In response to Tai Eric

‎09-06-2011 10:34 AM

There are 3 type of mac learning methods for port security, you may use command show port-security address to view the aging timer status.

1.securedynamic: dynamic learnt from switchport, it is influenced by aging timer.

2.securesticky: dynamic learnt from switchport and the mac address will be configured as static sticky mac address under interface configuration, there is no way can configured to be influenced by aging timer

3.static: manually configure mac address, default is not influenced by aging timer, can use command switchport port-security aging static to enable. After aging time out, the static mac configuration is still there, but it would not take effect.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Tai Eric

‎09-06-2011 01:09 PM

Hi Tai,

you're correct. I've learned something new about port-security and it seems I should really practice more with all these features.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Tai Eric

‎09-06-2011 04:21 AM

Hi Tai,

I'll test it on my switches later on but how can the running-config presence of these sticky addresses influence their aging time configured with the commands I posted ?

I'll have to investigate this stuff.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

cashqoo
Level 1
Level 1
In response to cadet alain

‎09-06-2011 02:41 AM

hi alain,

from my understanding; if the "sticky" command is used, it gets into the running configuration.

i dont think the aging command is able to remove the port-security command from the running configuration.

correct me if i am wrong.

hi eric,

the problem should be caused by the sticky command. you can only have mac address entry per vlan. it will work if you were to connect it to another port of the switch (configured with another vlan).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card