no connection when no PoE

Unanswered Question
Mar 12th, 2008
User Badges:

Is it possible to deny access to a port when power was NOT granted?

used for: deny access to eg laptops (who don't need PoE) - they should not be connected to a port which is used for ip phones (which DO use PoE)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Eh, I'll just post it anyway. There's a new feature (introduced in 12.2(37)SE) for the 3[67]50 called switchport voice detect.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/command/reference/cli3.html#wp3163199


Toggle that on an interface and this is what happens:


Phone plugged in:

*Mar 1 00:17:25.874: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:26.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:30.530: %CPDE-6-DETECT: Cisco IP Phone 7940 detected on FastEthernet0/1 in full duplex mode


PC plugged in directly:

*Mar 1 00:11:40.801: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:11:41.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:12:51.366: %CPDE-6-DETECT: Device detected on FastEthernet0/1 violating configuration

*Mar 1 00:12:51.366: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

*Mar 1 00:12:52.372: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

*Mar 1 00:12:53.379: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down


It does take a bit (~1 min), note the timestamps on the logs entries. This is the interface afterwards:

Switch#sh interfaces f0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)


Its not a bad feature, especially for unsecured areas. Suggestions:

*) I would like to see it clamp down on the wire a little quicker, perhaps a configurable timer?

*) The err-disable state requires you to take action on the switch. I'd rather the port come back up on its own after some period of time. The feature's prolly using the same calls as bpdu-guard but then again I'd also like to see that reset on its own.

*) Rolling the feature out to the other switching platforms would also be nice.

johanhofmans Thu, 03/13/2008 - 00:51
User Badges:

Seems like a nice feature, but we're not using cisco ip phones.


Then I think that you're down to locking the ports down via the MAC address of the phones you're using. There's nothing that I can think of that toggles port states based on PoE. I guess *maybe* you could write something with TCL and combine it with with EEM. That's a big maybe tho.

Actions

This Discussion