07-20-2009 06:39 AM - edited 03-06-2019 06:51 AM
Hi, i'm running 12.2(50) on a 3560-48PS and want only the phone and a single pc attached to the port (which i have for this example) but i cannot get this to work.
I currently have:
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode access
switchport voice vlan 141
switchport port-security maximum 3 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
but it still locks out seconds after i activate the port. I originally tried maximum 1 vlan access but that obviously didn't work (i've heard that some switches need 3 macs on the access side even though you end up with 1).
Ideas?
JM
Solved! Go to Solution.
07-20-2009 10:31 AM
I don't think so, removing that command will default the value to 1 MAC address.
interface FastEthernet0/1
switchport access vlan 18
switchport mode access
switchport voice vlan 7
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
end
Rack1SW1#sh port-secu int f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.d780.3640:18
Security Violation Count : 0
I believe the way it works is: you set a global maximum first and then allocate to the data and voice vlan from that maximum value.
Without that command, as you note above, your max is 1 for the whole switchport.
07-20-2009 06:54 AM
When the phone first connect to the network, its request goes to the data vlan hence consuming a MAC address allocation. Once the phone obtains the necessary information from the DHCP server and TFTP server, it moves itself to the voice vlan.
Your configuration above should work, with that said, I'm assuming you have your data vlan on Vlan 1? Not recommended to use Vlan 1 for user traffic. You can also remove the trunk line from the config as you are using access vlan with voice vlan as auxiliary.
HTH,
__
Edison.
07-20-2009 07:01 AM
Thanks, i thought it should work, the problem is i'm getting
Jul 20 09:59:00.980 CDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred
, caused by MAC address 0013.7298.1d0c on port FastEthernet0/10.
This is the MAC of the PC attached to the phone.
Ideas on what to look at next?
JM
(agreed, vlan 1 is not optimal, but it's too much of a PITA to change it for this site at the moment).
07-20-2009 07:07 AM
'sh port-security int f0/10' will tell you how many addresses have been allocated.
if the old mac-address aren't timing out on time, you should adjust the timers.
07-20-2009 07:52 AM
Interesting, I think we're getting somewhere. If i do not have the statement "switchport port-security maximum 2" added in addition to my vlan specifics, it does not recognize more than 1 address.
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode access
switchport voice vlan 141
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
If i take that out, then i go back to this:
Civic41#sho port-security interface f0/10
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0013.7298.1d0c:1
Security Violation Count : 1
bug?
07-20-2009 08:22 AM
Is it happening in all switchports?
I copied and paste your config on a switch and just made changes on the access vlan and voice vlan as they were created on the switch:
Rack1SW1(config-if)#do show run int f0/1
Building configuration...
Current configuration : 585 bytes
!
interface FastEthernet0/1
switchport access vlan 18
switchport mode access
switchport voice vlan 7
switchport port-security maximum 2
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
end
Rack1SW1(config-if)#do show port-sec int f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.d780.3640:18
Security Violation Count : 0
BTW, you may want to change the maximum to 3 based on what I explained before.
Config should look like this:
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
07-20-2009 10:12 AM
Right, but does the base "switchport port-security maximum 3" even need to be there if the other two statements are there? i thought that statement was an older option before specifying vlans became an option?
07-20-2009 10:31 AM
I don't think so, removing that command will default the value to 1 MAC address.
interface FastEthernet0/1
switchport access vlan 18
switchport mode access
switchport voice vlan 7
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
end
Rack1SW1#sh port-secu int f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 2 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 000e.d780.3640:18
Security Violation Count : 0
I believe the way it works is: you set a global maximum first and then allocate to the data and voice vlan from that maximum value.
Without that command, as you note above, your max is 1 for the whole switchport.
07-20-2009 01:01 PM
Edison,
I have 2 3560s that are running IOS 12.2(50).
These two commands are not supported:
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
Here is the output
switch-1(config-if)#do sh run inter gi0/47
Building configuration...
Current configuration : 73 bytes
!
interface GigabitEthernet0/47
switchport port-security maximum 3
end
switch-1(config-if)#switchport port-security maximum 2 ?
if I try switchport port-security maximum 2, it will replace 3
Thanks,
Reza
07-20-2009 01:04 PM
1) You need to statically set to port to access 'switchport mode access'
2) You need to enter 'switchport port-security'
3) Then you can enter the other commands.
07-20-2009 01:22 PM
What is interesting is that with the switchport port-security maximum 2 set the system works with both my devices instead of setting it to maximum 3. So apparently the switch is smart enough not to look at the CDP packet on the phone's initial bootup and count it. Last i heard from Cisco it was the 3550s that still did that where you had to set it to 3.
sounds like my problem was not having the global maximum in there. I guess as long as it works :)
07-20-2009 01:56 PM
Edison,
Thanks,
I got it working on 3560s, but when I try the same commands on a 6500-E running 12.2(33)SXI, it does not like the commands at all.
Reza
07-20-2009 02:05 PM
By default, 6500 ports are L3 switchports and you must change it to L2 by typing 'switchport'.
Without seeing the config, it's hard to understand where the command failed.
Please take a moment and read the documentation:
Please remember to rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide