cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
6
Replies

no connection when no PoE

johanhofmans
Level 1
Level 1

Is it possible to deny access to a port when power was NOT granted?

used for: deny access to eg laptops (who don't need PoE) - they should not be connected to a port which is used for ip phones (which DO use PoE)

6 Replies 6

jcoke
Level 3
Level 3

What switch platform are you on? Some of these security features can vary platform to platform.

catalyst 3560

jcoke
Level 3
Level 3

Eh, I'll just post it anyway. There's a new feature (introduced in 12.2(37)SE) for the 3[67]50 called switchport voice detect.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/command/reference/cli3.html#wp3163199

Toggle that on an interface and this is what happens:

Phone plugged in:

*Mar 1 00:17:25.874: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:26.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:30.530: %CPDE-6-DETECT: Cisco IP Phone 7940 detected on FastEthernet0/1 in full duplex mode

PC plugged in directly:

*Mar 1 00:11:40.801: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:11:41.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:12:51.366: %CPDE-6-DETECT: Device detected on FastEthernet0/1 violating configuration

*Mar 1 00:12:51.366: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

*Mar 1 00:12:52.372: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

*Mar 1 00:12:53.379: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

It does take a bit (~1 min), note the timestamps on the logs entries. This is the interface afterwards:

Switch#sh interfaces f0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Its not a bad feature, especially for unsecured areas. Suggestions:

*) I would like to see it clamp down on the wire a little quicker, perhaps a configurable timer?

*) The err-disable state requires you to take action on the switch. I'd rather the port come back up on its own after some period of time. The feature's prolly using the same calls as bpdu-guard but then again I'd also like to see that reset on its own.

*) Rolling the feature out to the other switching platforms would also be nice.

Seems like a nice feature, but we're not using cisco ip phones.

Then I think that you're down to locking the ports down via the MAC address of the phones you're using. There's nothing that I can think of that toggles port states based on PoE. I guess *maybe* you could write something with TCL and combine it with with EEM. That's a big maybe tho.

ok - thanks for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco