09-22-2016 01:19 AM - edited 03-08-2019 07:32 AM
Hello!
I have Cisco Catalyst 2960 switch with iOS c2960s-universalk9-mz.150-2a.SE9.bin
I Testing Port Security option with additional settings. Here is the port config:
interface GigabitEthernet0/8
switchport access vlan 5
switchport mode access
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
network-policy 101
storm-control broadcast level pps 500
storm-control multicast level pps 500
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
All working correctly, but after save config and reload switch I saw error in console:
switchport port-security maximum 1 vlan voice
^
% Invalid input detected at '^' marker.
And this setting was removed from interface. All other working correctly (Phone adds to voice vlan via network policy).
But if I configures interface with voice vlan setting instead network policy, switchport port-security maximum 1 vlan voice keeps in port settings after reload.
interface GigabitEthernet0/8
switchport access vlan 5
switchport mode access
switchport voice vlan 101
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security aging time 1
switchport port-security aging type inactivity
switchport port-security
storm-control broadcast level pps 500
storm-control multicast level pps 500
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 15
Why port-security with network policy option works incorrect?
09-22-2016 05:22 AM
Hi
see below
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html
From Cisco doc
If you first configure a network-policy profile on an interface, you cannot apply the switchport voice vlan command on the interface. If switchport voice vlan vlan-id is already configured on an interface, you can apply a network-policy profile on the interface. The interface then has the voice or voice-signaling VLAN network-policy profile applied on the interface.
09-22-2016 10:35 PM
Hi,
This note didn't explained why I can configure firstly network-policy on the interface (without configure voice vlan on this interface) and after implement port-security commands, including switchport port-security maximum 1 vlan voice. Command not rejected. But after switch reload this command rejected
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide