cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
6
Replies

Strange Port-Security!

a.hajhamad
Level 4
Level 4

Hi,

I have Cisco catalyst 3560 SW PoE-24, i'm using this switch as testing for port security. The installed IOS Version is 12.2(40)SE.

I'm applying the following commands to the interface one after one for testing, and i'm connected my laptop to the Cisco IP Phone and trying the Cisco IP Phone to port after port at the switch.

The strange issue is that some ports are working fine and others are not "Security violation occurred". Why that?

The commands that applied to all interfaces:

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address sticky

Thanks in advance

Abd Alqader

6 Replies 6

Kevin Dorrell
Level 10
Level 10

An IP phone needs 3 MAC addresses: one for the PC, one for the phone, and one for the integrated virtual switch.

Kevin Dorrell

Luxembourg

Thanks Kevin.

But why some ports working fine with max two mac addresses?

Thanks again

Abd Alqader

Are they perhaps those ports that do not have a PC connected behind the telephone, or that have the PC switched off, or that are non-Cisco telephones?

To work this out we would need to look at the MAC addresses. Take a look at a port that has had a violation, and see if you can work out which MAC address is the telephone, which is the PC, and which is the switch.

Alternatively, is it possible that your users have been playing with the plugs? I see that your MAC addresses are sticky.

Kevin Dorrell

Luxembourg

Hi,

This is a testing switch, only my laptop and one Cisco IP phone is used. i'm using the same laptop and the same Cisco IP phone as a testing for the ports.

-----

Here is the show mac-address-table for the worked and non worked ports!

0/7 didn't work

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/7

28 0019.e883.44b1 DYNAMIC Fa0/7

-------------------------------------------

0/5 work fine

Port_S#show mac-address-table int fas 0/5

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/5

28 0019.e883.44b1 DYNAMIC Fa0/5

29 0019.e883.44b1 DYNAMIC Fa0/5

Total Mac Addresses for this criterion: 3

-------------------------------------------

0/3 work fine

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/3

28 0019.e883.44b1 DYNAMIC Fa0/3

29 0019.e883.44b1 DYNAMIC Fa0/3

Total Mac Addresses for this criterion: 3

Regards

Abd Alqader

Could you provide sh int fa0/7?

Is F0/7 set up, in the same way as the others? It looks like it is interpreting all frames, from both the PC and the phone, as being on VLAN 28, whereas the others have both vlans 28 and 29.

Kevin Dorrell

Luxembourg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco