Solved: Port security on 6500 sticky not working on voice vlan.

jkeeffe · ‎03-16-2011

I have port security configured on several 6500 ports. IOS version 12.2(33)SXH5. I configured for stickly addresses, but only the PC on the data vlan shows as sticky. The MAC of the phone shows as dynamic.

When I configure a 3750 switch the same way with a PC and phone, both MAC addresses show up as sticky.

Below is the pertinant config and output of a couple show commands (I deleted the QOS commands for simplicity). Any idea why the phone MAC doesn't get sticky?

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c430.b183

spanning-tree portfast
end

Eng-6503E#sh port-security int g3/29
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 001b.4f2d.5920
Last Source Address VlanId : 920
Security Violation Count   : 0

Eng-6503E#

Eng-6503E#sh port-security int g3/29 address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
920    001b.4f2d.5920    SecureDynamic       Gi3/29       -
2005    001c.c430.b183    SecureSticky        Gi3/29       -
-------------------------------------------------------------------
Total Addresses: 2

Peter Paluch · ‎03-16-2011

Hello,

According to the Configuration Guide for the SXH release at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1057168

Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.

In different IOS versions, this functionality may be available (as you have noticed on your 3560/3750 switch). I remember seeing lots of changes in the port security features in the last two years regarding their functionality with voice VLANs.

I am afraid there is no usable workaround available for this limitation. You could try to raise a TAC ticket for feature enhancement to possibly speed up the adoption of the feature into the series of 6500 series but that won't be immediate of course.

Best regards,

Peter

View solution in original post

cadet alain · ‎03-16-2011

Hi,

If you issued switchport port-security first then it learned the telephone mac first as dynamic and then the second one as sticky.

I would disable port-security with no switchport port-security, enter all the commands except switchport port-security and then apply this command.

Regards.

Alain.

Don't forget to rate helpful posts.

jkeeffe · ‎03-16-2011

I tried your suggestion but unfortunately it did not work as expected. Here are the steps as you outlined:

**start with no port security on interface

sh int g3/29

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
spanning-tree portfast
end

**adding port security commands except 'switchport port-security'

Eng-6503E(config)#int g3/29
Eng-6503E(config-if)#switchport port-security maximum 2
Eng-6503E(config-if)#switchport port-security mac-address sticky
Eng-6503E(config-if)#^Z
Eng-6503E#
Eng-6503E#sh run int g3/29
Building configuration...

Current configuration : 905 bytes
!
interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
end

**adding 'switchport port-security' to inferface:

Eng-6503E(config)#int g3/29
Eng-6503E(config-if)#switchport port-security
Eng-6503E(config-if)#exit
Eng-6503E(config)#exit
Eng-6503E#

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
end

Eng-6503E#sh port-security int g3/29 address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
920    001b.4f2d.5920    SecureDynamic       Gi3/29       -
2005    001c.c430.b183    SecureSticky        Gi3/29       -
-------------------------------------------------------------------
Total Addresses: 2