Thanks for the reply.

So, where did the idea of three mac addresses come from?

I'm not sure where '3' came from. I certainly have not read about that anywhere, and having just sanity checked this question with few of my colleagues - the consensus is that switchports with IP phones attached will learn about two mac addresses when a PC is attached to the IP phones PC port. The mac addr for the IP phone will represent one of those address. And, of course as you know the other mac addr will match the PC nic.

However, if the goal is to ensure IP phones do not share their switchport, then only a single mac address will be learned when you apply:

switchport port-security maximum 1

No doubt you are aware of this command but it's just for the benefit of others.

hth,

Ajaz

Ah! Wilson,

Here is one reference that I found for three mac's addresses but it's a workaround to a field notice.

http://www.cisco.com/en/US/products/hw/phones/ps379/products_field_notice09186a008031575e.shtml

hth,

Ajaz :-)

pls rate this post if it helped.

Thank you for the reply.

I tried the qty 2 for the phone/workstation and it worked fine as far as allowing the devices to connect, as long as these were the devices that have been on the port all along.

I read somewhere that makes sense that if the DHCP address is gotten from the data VLAN (the second mac) and then the phone is brought up in the voice VLAN (the third mac), it could use three. Our voice DHCP is in the voice VLAN

However, there are somethings I do not understand about port security that are happeneing that maybe you can help me with.

I encountered the following on two different ports.

I configured a phone port as shown below, unplugged the existing phone and plugged in another and it came up just fine.

after that, I put the original phone mac address in rather than the "max 1" command and the port kept shutting down due to violation after plugging the original phone back in.

I had another problem where a workstation was trying to plug into a phone with one mac allowed. This port shut down as expected, but when Ichanged the config to allow two address, it kept shutting down when both devices were on teh port, I was able to remove the phone and the user was able to connect, but the phone kept shutting down the port.

It seems the phones are doing weird things with the security.

My questions are:

Does the config shown allow "ANY" single mac address on the port?

Shouldn't the stickey add the mac from dynamic to static on the port and should have been grabbed by the first phone?

What are the aging parts doing, is this port "holding" the mac for 5 minutes?

Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?

It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.

I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.

switchport port-security

switchport port-security aging time 5

switchport port-security violation shutdown

switchport port-security aging type inactivity

switchport port-security mac-address sticky

My questions are:

Does the config shown allow "ANY" single mac address on the port?

No, not necessarily. Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.

Shouldn't the sticky add the mac from dynamic to static on the port and should have been grabbed by the first phone?

Please take a read of this document taken from the following URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/port_sec.html#wp1062570

Port Security with Sticky MAC Addresses

Release 12.2(18)SXE and later releases support port security with sticky MAC addresses. Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.

What are the aging parts doing, is this port "holding" the mac for 5 minutes?

Please take two minutes to read the section with the heading 'Configuring Secure MAC Address Aging on a Port'

When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out.

When enabling port security with sticky MAC addresses, note the following information:

• When you enter the switchport port-security mac-address sticky command:

- dynamically learned secure MAC addresses on the port are converted to sticky secure MAC addresses.

- secure MAC addresses are not converted to sticky MAC addresses.

- MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.

- dynamically learned secure MAC addresses are sticky.

Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?

Yes since this would have been learned dynamically and remember mac addrs dynamically learned in a voice VLAN are not converted to sticky MAC addresses

It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.

No. The first MAC addr would remain in the dynamic list of allowed addresses. The second phone would have been added to the permitted list.

I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.

Yes. This is expected and normal behaviour.

switchport port-security

switchport port-security aging time 5

switchport port-security violation shutdown

switchport port-security aging type inactivity

switchport port-security mac-address sticky

-------------------------------------------------------------

I must admit - it took me a few times to get my head round it but the intricacies around port security provided in the URL above is correct.

hth,

Ajaz

Ok, and forgive me if this is obviouse in the material you have provided, but.

It seems that I cannot get away from using a dynamic address when using a phone and workstation on the same port.

If I use static mac addresses, I can configure the phone, and workstation macs statically, but must allow three entries (I have tried this and this is true), this allows on dynamic mac on the port:

interface FastEthernet4/41

switchport

switchport access vlan 10

switchport mode access

switchport voice vlan 50

switchport port-security

switchport port-security maximum 3

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address 0013.1234.1234

switchport port-security mac-address 0018.2345.2345

no ip address

wrr-queue cos-map 1 1 1

wrr-queue cos-map 1 2 0

wrr-queue cos-map 2 1 2 3 4 6 7

wrr-queue cos-map 2 2 5

mls qos trust cos

spanning-tree portfast

end

2#sh port-sec int f4/41

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Shutdown

Aging Time : 5 mins

Aging Type : Inactivity

Maximum MAC Addresses : 3

Total MAC Addresses : 3

Configured MAC Addresses : 2

Sticky MAC Addresses : 0

Last Source Address : 0013.1234.1234

Last Source Address VlanId : 50

Security Violation Count : 0

2#sh mac-address int f4/41

vlan mac address type learn age ports

------+----------------+--------+-----+----------+--------------------------

* 10 0018.2345.2345 static Yes - Fa4/41

* 50 0013.1234.1234 static Yes - Fa4/41

* 10 0013.1234.1234 static Yes - Fa4/41

If I configure the port for sticky and qrty of 2 max addresses, it does not enter the phone mac address as a secure address, which leaves still a dynamic allowed address.

How would I configure the port to allow a workstation and phone while preventing someone from unplugging this workstation and phone and plugging their laptop

PART REPLY#1 .This is a two part reply because of restrictions in the number of characters in the text.

Ok Richard - I've done a bit more looking into this as well as some testing.

First things first:

"How would I configure the port to allow a workstation and phone while preventing someone from unplugging this workstation and phone and plugging their laptop"

One way that I know for sure you can acheive this is by using,, not switchport security, but mac access-list. Take a look at this example:

------------------------------------------

mac access-list extended IPphone_&_PC

permit host 0014.f2f8.f50e any

permit host 001c.2300.7e76 any

Switch(config)# interface fastethernet 0/1

Switch(config-if)# mac access-group IPphone_&_PC in

------------------------------------------

So it's good to know that there is a way we can totally dictate what is and what isn't allowed.

Now let's return to our favorite friend 'switchport port-security'

Switch#show run in fastEthernet 0/10

interface FastEthernet0/10

switchport mode access

switchport voice vlan 222

switchport port-security maximum 3

switchport port-security

switchport port-security violation protect

switchport port-security mac-address 0014.f28f.f50e

switchport port-security mac-address 001c.2300.7e76

spanning-tree portfast

switch#

Switch#show port-security address

Secure Mac Address Table

------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0014.f28f.f50e SecureConfigured Fa0/10 -

1 001c.2300.7e76 SecureConfigured Fa0/10 -

222 0014.f28f.f50e SecureDynamic Fa0/10 -

------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 3

------------------------------------------------------------------------

PART REPLY #2

As you have probably gathered through your own testing that the IP phone mac-address is learned on two VLAN's. They are of course the voice and access vlans. I have hardcoded two mac-addresses into the switchport configured as follows:

interface FastEthernet0/10

switchport mode access

switchport voice vlan 222

switchport port-security maximum 2

switchport port-security

switchport port-security violation protect

switchport port-security mac-address 0014.f28f.f50e

switchport port-security mac-address 001c.2300.7e76

spanning-tree portfast

-------------------------

With this config the switch allows only two mac-address and this should be expected:

Switch#show mac address interface fastEthernet 0/10

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

1 0014.f28f.f50e STATIC Fa0/10

1 001c.2300.7e76 STATIC Fa0/10

Total Mac Addresses for this criterion: 2

-------------------------------------------

The problem with this is that although the phone has established CDP neighborship with the switch a this point (see below), the phone then attempts to begin using the voice vlan. This is considered by the switch as a new mac-address even though it has already registered with it's mac-address on the access VLAN.

Switch#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

SEP0014F28FF50E Fas 0/10 179 H P IP Phone Port 1

Switch#

---------------------------------------------

The way it is possible to enter 'switchport port-security 2' is to enter the interface configuration prompt and issue 'no switchport port-security'. Follow this by hard coding the two mac-addresses that you want. Then re-apply 'switchport port-security' followed by switchport port-security max 2. This will prevent the phone from communicating on the voice vlan completely. You don't even have to restart the phone to see this result. So after this enter the interface configuration and type 'switchport port-security max 3'. As soon as you hit enter the phone will re-register.

In conclusion then I think it's fairly safe to say that both mac acls and switchport security provide fairly robust mechanisms to ensure that any unwanted attempt to access network resources can be thwarted. But there is drawback with switchport port-security in the scenario where switchports are configured for IP phone connectivity. And in more specific terms that is by having to allow '3' addresses just to get the IP Phone up and running, you leave your network open to access by an undefined '3rd' host on that particular configured switch port.

IMO switchport security would work well in a situation where there was no voice or auxilary vlan. But clearly we can see there are some shortcomings with this approach. However, if the network environment that you manage needs to be secured in order to overt such risks then mac acls will have to be considered. Additional or excess config, increased administration overhead will be the result - but is that worth the security tradeoff?

I will be emailing Cisco vulnerability folks (psirt) with my findings

hth,

Ajaz

Wow,

Thanks for the great information.

I thought it was just me thinking the security was not what was needed to REALLY prevent someone from removing exising phone/pc and getting on the network.

I looked at the mac access-list as well.

The having to allow the dynamic mac for the phone is the killer.

Something else to try, I got this from Cisco TAC:

"I found in the 3560 config guide for

12.2(25)SEE that you can statically set the mac address for the data and

voice vlan. I also tried it in the lab to verify because I hadnt seen it

used before.

The interface commands are -

switchport port-security (mac-address) vlan access

switchport port-security (mac-address) vlan voice

So this should be all that you need. However, with this setup, you are

locking in that host on vlan 250, meaning the PC cant connect on any other

port, nor will any other PC be able to connect to this port."

Thanks a lot. I didn't know that.

It was a pleasure to help and thanks for the ratings. I have voted for your post too ; )

this is a great way to learn.

take care & all the best

Ajaz :-)

I used port-security on the ports I can nail down with a single mac-address.

On the workstation-phone ports, the access-list works great.

What I like about it is you can have all the workstations and phones in a single access-list, then apply that to a range of ports and those people can go anywhere in the rang of ports with no problem, no one else has access.

What are your thoughts as this being the only security on those ports?

Port-security will shut down the port, but the access-list does not.

Hey Richard

Hope all is well.

What are your thoughts as this being the only security on those ports?

This is probably the most 'hardened' option available for what we want to acheive. I very much like the fact that with use of the range feature - you've added mobility to the solution (5point for you - I like it). Of course the same mac acl can be applied to other access switches if there is more than one. Just in case a user plugs into a port on a different switch.

Port-security will shut down the port, but the access-list does not.

This could be considered as a good thing, or perhaps not so good. It all depends on the nature of your business i.e. how sensitive the data is (Risks), and what the organizations security policy dictates. The drawback is administrative overhead required to maintain this solution i.e. shutdown. ICRC violation restrict using port-security does this anyway. A combination of port-security and mac access-lists can get you there, or close - I'm sure. Any why not I say take the best of both worlds!

What d'ya say?

regards

Ajaz

Ajaz,

Many thanks for the information you provided in this post.

I learn alot from this forum.

The administration is a pain in the security feature.

I work in a bank, so security is #1 with auditors.

I do like the access-list much better, but one thing:

It looks like you can not add/subtract a single line in the mac access-list, which would make it even better.

Am I wrong about that? Is it possible to add or remove a single mac from the access-list?