Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3013
Views
0
Helpful
15
Replies

Switch Port-Security problems with voice vlan

chris.king
Level 1
Level 1

‎11-05-2008 06:55 AM - edited ‎03-06-2019 02:19 AM

Hi guys and girls,

I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .

My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'

interface FastEthernet1/0/1

switchport access vlan 2

switchport voice vlan 10

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

and after:

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 3

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0003.ff53.553c

switchport port-security mac-address sticky 001e.c952.553c

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

The switchport port-security mac-address sticky addresses were obtained automaticly

a show port-security interface fa1/0/1 looks like this:

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 5

Total MAC Addresses : 3

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address : 0001.e324.6f48:10

Security Violation Count : 0

and my show version looks like this:

Cisco Internetwork Operating System Software

IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1

Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.

This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!

And now for the million doller question:

How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming

from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!

Please help,

Chris

Labels:
0 Helpful
15 Replies 15

chris.king
Level 1
Level 1

‎11-06-2008 08:34 AM

Reply to my own posting here!

What I am trying to do will not work.

Maybe this will help somebody else who would like to set up port security with a voice VLAN. The ip phone mac is picked up as 'SecureDynamic' and cannot be converted to a 'static' record. This means that as soon as you unplug the ip phone, this record is removed from the switch and an intruder can break into your network by plugging in a notebook.. The only way to protect your ports with ip phones is to use access-lists that must be manually edited, thus creating loads of work when you have stacks with 192 FE ports like us. This is not a moan, but I would just like to put this down as I see it and of course thank all of the advice that I got. I have also learned alot during these 2 days and will check the release notes of later IOS versions to see if an update can help. If so I will be updating over christmas (we have a 24/7 network) if I get the offline time. If anybody has another idea, please let me know and I will get the virtual beers in.

regards, Chris

0 Helpful
Customers Also Viewed These Support Documents