cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5635
Views
5
Helpful
9
Replies

port security mac sticky with IP phone issue

Tai Eric
Level 1
Level 1

I have discover there is a issue on port security mac sticky with IP phone. I have applied port security on some switches, with the settings set to accept maximum 2 mac addresses (for IP Phone & PC) per port, to be learned through ‘sticky’, and the violation action is to restrict access. The problem is, after applying port security on IP phone port, when I unplug my laptop to plug to another port on same ssitch, but the laptop couldn't get any connection due to the IPphone is still up and the mac address is learned from IPphone port, not from the new port. Did anybody have any solution for it?

9 Replies 9

mahmoodmkl
Level 7
Level 7

Hi,

First you need to allow atleast 3 mac-address on the port.

Can you paste the config of the port.

Thanks

I think it is nothing to do with how many mac -address we allow due to the issue is the mac address would never timeout on port security switch port.

cadet alain
VIP Alumni
VIP Alumni

Hi,

By default secure dynamic addresses have an absolute  aging time of 0 which means they never expire and so you must set the aging time to inactivity with an aging time of 1 minute and then after one minute of inactivity from the laptop the addresses will be aged out on the first port and you can put it on another port .

int fx/x

switchport port-security aging  time 1

switchport port-security aging  type inactivity

Regards.

Alain.

Don't forget to rate helpful posts.

Hi cadet,

Thanks for the reply, i did try for these command, but I found that the mac address table on the switch port would never timeout even there is no traffic to the port.

I found the weird behaiour is my laptop mac address was shown on switch mac address table once the port status is physically up even before I intial any traffic and never timeout out.

For non port security configured switch port , the mac address will only be shown after any traffic were initialled. The mac address will be time out on mac address table after it exceed mac address aging time.

Hi Cashqoo,

Thanks for the advise.

I have found a workaround due to the port security mac address table aging doesn;t work on sticky mac address, but it is working on static mac address. I have added configuration as below and changed all the sticky learned mac address to static mac, even this is a bit troublesome and 1 minute aging time is satisfied by all party, but it seem there is no other better solution for running port secure mac address behind a IPphone switchport for the time being.

switchport port-security aging time 1  

switchport port-security aging type inactivity 

switchport port-security aging static  

There are 3 type of mac learning methods for port security, you may use command show port-security address to view the aging timer status.

1.securedynamic: dynamic learnt from switchport, it is influenced by aging timer.

2.securesticky: dynamic learnt from switchport and the mac address will be configured as static sticky mac address under interface configuration, there is no way can configured to be influenced by aging timer

3.static: manually configure mac address, default is not influenced by aging timer, can use command switchport port-security aging static to enable. After aging time out, the static mac configuration is still there, but it would not take effect.

Hi Tai,

you're correct. I've learned something new about port-security and it seems I should really practice more with all these features.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Tai,

I'll test it on my switches later on but how can the running-config presence of these sticky addresses influence their aging time configured with the commands I posted ?

I'll have to investigate this stuff.

Regards.

Alain.

Don't forget to rate helpful posts.

hi alain,

from my understanding; if the "sticky" command is used, it gets into the running configuration.

i dont think the aging command is able to remove the port-security command from the running configuration.

correct me if i am wrong.

hi eric,

the problem should be caused by the sticky command. you can only have mac address entry per vlan. it will work if you were to connect it to another port of the switch (configured with another vlan).

Review Cisco Networking for a $25 gift card