Solved: What model of phone are you

David Lee · ‎06-27-2015

So I am a bit new to switchport security. I have it working on most of the ports at a location. Its ports where either I have switchport voice and switchport access vlans or just switchport voice vlans. For some reason, those type of ports will go into err-disable. Here are some examples. Any pointers as to why these would be shutting down even when I have the correct MAC address specified would be very helpful. Interface Fa0/3 has a phone attached to it, and a computer daisy-chained off the phone.

interface FastEthernet0/2
description Table Phone
switchport mode access
switchport voice vlan 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 34a8.4ea6.0f95
spanning-tree portfast

interface FastEthernet0/3
description SAM PHONE x1623
switchport access vlan 3
switchport mode access
switchport voice vlan 2
switchport port-security maximum 2
switchport port-security mac-address 442b.031a.2975 --- Phone MAC
switchport port-security mac-address e840.f223.8842 --- Computer MAC
spanning-tree portfast

2 442b.031a.2975 DYNAMIC Fa0/3

2 34a8.4ea6.0f95 DYNAMIC Fa0/2

The log shows this every time I turn on port security. Any other port where there is only 1 VLAN or 1 device, it works fine no issues.

Jun 27 2015 23:59:56: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.
Jun 28 2015 00:00:01: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state
Jun 28 2015 00:00:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
Jun 28 2015 00:00:03: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Jun 28 2015 00:00:04: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 34a8.4ea6.0f95 on port FastEthernet0/2.

I know I'm missing something since I am new to using switchport security. I am wanting to lock down ports to prevent unauthorized devices from plugging into my network. I have DHCP turned off everywhere, but I want to take it one step further and stop them from even getting on the network and probing the network.

EDIT--- Forgot to mention that this is a 2960 running version 15.0(2)SE5

Thanks,

David

Peter Paluch · ‎06-28-2015

David, Kevin,

Please allow me to join.

The way I see the Fa0/2 work with its original configuration is:

The maximum count of secure MAC addresses is 1.
The access VLAN is 1, the voice VLAN is 2.
The static secure MAC address 34a8.4ea6.0f95 is added to the access VLAN, not to the voice VLAN
When the phone starts communicating in the voice VLAN, its MAC address cannot be dynamically added to the list because the maximum secure MAC count is 1 and the list is already full. The fact that its MAC address is statically configured is not relevant because it is not associated with the voice VLAN.

Try removing the line

switchport port-security mac-address 34a8.4ea6.0f95

and replace it with

switchport port-security mac-address 34a8.4ea6.0f95 vlan voice

and see if it solves the issue.

Best regards,
Peter

View solution in original post

Tagir Temirgaliyev · ‎06-28-2015

It will not prevent unauthorized devices from plugging into network. because of mac spoofing

Kevin Dorrell · ‎06-28-2015

What model of phone are you using? I know there are some phone models that generate frames from two different MAC addresses, one for the phone itself, and one for its internal switch. It used to be recommended to allow three MAC addresses on secure ports, one for the phone, one for the PC, and one for the phone's internal switch (but I am not sure which VLAN carried the switch's frames.).

Try a show port-security interface F0/2. That should give you some clues.

Kevin Dorrell

Luxembourg

David Lee · ‎06-28-2015

Hey Kevin,

I am using a mix of models. 6921s, 6901s, 7940s, 7942s, and 7970s. Int fa0/2 happens to have a 6901.

Here is what comes from that command

C2960-96#sh port-security int fa0/2
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 34a8.4ea6.0f95:2
Security Violation Count   : 3

So to me it even looks like the switch is seeing it correctly. The MAC address is the same and the VLAN is the same as the voice vlan. The main thing that I am wanting to prevent is people daisy-chaining off phones unless we give them permission to. There is only one instance where this should be allowed and thats on port fa0/3. I also want to keep people from unplugging a phone, plug in a dumb switch so they have more ports, then go off of that.

David Lee · ‎06-28-2015

Just found that if I change the interface to this

interface FastEthernet0/2
description OSM Table Phone
switchport access vlan 2
switchport mode access
switchport voice vlan 2
switchport port-security
switchport port-security mac-address 34a8.4ea6.0f95
spanning-tree portfast

that the port will stay up. It has something to do with the "access" and "voice" part. It looks to also possibly not like daisy-chaining

Kevin Dorrell · ‎06-28-2015

Interesting. You are right that the MAC it is seeing is the same MAC as you have configured. There is one other thing that could trigger a port-security violation: if the switch sees the configured MAC address on some other port than the one it was configured on. Could that be the case here?

David Lee · ‎06-28-2015

Here is my entire MAC table for that switch. I don't see the entry on any other port

2    34a8.4ea6.0de7    DYNAMIC     Fa0/4
   2    34a8.4ea6.0f95    STATIC      Fa0/2
   2    442b.031a.2975    DYNAMIC     Fa0/3
   2    442b.031a.2c92    DYNAMIC     Fa0/5
   2    7c0e.ce2e.9318    DYNAMIC     Gi0/1
   2    f0f7.55b6.6512    DYNAMIC     Fa0/1
   3    001e.0ba3.7588    STATIC      Fa0/21
   3    001f.294b.72bb    DYNAMIC     Fa0/20
   3    0021.5a6b.0daa    DYNAMIC     Fa0/11
   3    0023.2440.3a46    DYNAMIC     Fa0/10
   3    0023.2441.f543    DYNAMIC     Fa0/9
   3    0024.210f.2c75    DYNAMIC     Fa0/15
   3    0024.e83c.6806    DYNAMIC     Fa0/23
   3    00c0.ee48.9314    DYNAMIC     Fa0/16
   3    00c0.ee4a.1102    DYNAMIC     Fa0/17
   3    00c0.ee8d.20a8    DYNAMIC     Fa0/19
   3    3005.5c15.6d65    DYNAMIC     Fa0/18
   3    442b.031a.2975    DYNAMIC     Fa0/3
   3    7c0e.ce2e.9318    DYNAMIC     Gi0/1
   4    0000.bce5.6926    DYNAMIC     Fa0/13
   4    00d0.2413.a4bc    DYNAMIC     Fa0/13
   1    34a8.4ea6.0de7    DYNAMIC     Fa0/4
   1    442b.031a.2c92    DYNAMIC     Fa0/5
   1    7c0e.ce2e.9318    DYNAMIC     Gi0/1
   1    f0f7.55b6.6512    DYNAMIC     Fa0/1

Peter Paluch · ‎06-28-2015