cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2198
Views
0
Helpful
15
Replies

Switch Port-Security problems with voice vlan

chris.king
Level 1
Level 1

Hi guys and girls,

I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .

My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'

interface FastEthernet1/0/1

switchport access vlan 2

switchport voice vlan 10

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

and after:

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 3

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0003.ff53.553c

switchport port-security mac-address sticky 001e.c952.553c

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

The switchport port-security mac-address sticky addresses were obtained automaticly

a show port-security interface fa1/0/1 looks like this:

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 5

Total MAC Addresses : 3

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address : 0001.e324.6f48:10

Security Violation Count : 0

and my show version looks like this:

Cisco Internetwork Operating System Software

IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1

Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.

This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!

And now for the million doller question:

How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming

from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!

Please help,

Chris

15 Replies 15

chris.king
Level 1
Level 1

Reply to my own posting here!

What I am trying to do will not work.

Maybe this will help somebody else who would like to set up port security with a voice VLAN. The ip phone mac is picked up as 'SecureDynamic' and cannot be converted to a 'static' record. This means that as soon as you unplug the ip phone, this record is removed from the switch and an intruder can break into your network by plugging in a notebook.. The only way to protect your ports with ip phones is to use access-lists that must be manually edited, thus creating loads of work when you have stacks with 192 FE ports like us. This is not a moan, but I would just like to put this down as I see it and of course thank all of the advice that I got. I have also learned alot during these 2 days and will check the release notes of later IOS versions to see if an update can help. If so I will be updating over christmas (we have a 24/7 network) if I get the offline time. If anybody has another idea, please let me know and I will get the virtual beers in.

regards, Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: