Switch Port-Security problems with voice vlan

Unanswered Question
Nov 5th, 2008

Hi guys and girls,

I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .

My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) and looked like this before being 'secured'

interface FastEthernet1/0/1

switchport access vlan 2

switchport voice vlan 10

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

and after:

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 3

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0003.ff53.553c

switchport port-security mac-address sticky 001e.c952.553c

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

The switchport port-security mac-address sticky addresses were obtained automaticly

a show port-security interface fa1/0/1 looks like this:

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 5

Total MAC Addresses : 3

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address : 0001.e324.6f48:10

Security Violation Count : 0

and my show version looks like this:

Cisco Internetwork Operating System Software

IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1

Now the 'stickyness' has picked up my 2 PC Nodes but not my telephone that is included in the 'Total MAC Addresses' bit.

This means that if I unplug my telephone and replace it with a PC, this PC will access my network. Bad news!

And now for the million doller question:

How can I set up my port to auto learn my telephone and put this in the sticky table thus bloking any traffic that is not coming

from a trusted or learned node and keeping my port safe and sound. We cannot enter the macs manually as we have a 192 port stack and no time!

Please help,

Chris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Wed, 11/05/2008 - 07:11

Chris,

Try changing the port-security max count to 4 and check if your phone's mac comes in the table.

chris.king@csu-... Wed, 11/05/2008 - 07:17

Thanks for the quick reply.

I have raised it to 4 and it looks like this:

3750-LL-1#show port-security inter fa1/0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 4

Total MAC Addresses : 3

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address : 0001.e324.6f48:10

Security Violation Count : 0

3750-LL-1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

Thanks again,

Chris

Amit Singh Wed, 11/05/2008 - 07:22

Chris,

Did you do a write mem after configuring the port-security sticky on the port. You need to do a write mem in order to have all the mac-addresses added to the running-config of the switch.

-amit singh

Amit Singh Wed, 11/05/2008 - 07:41

Chris,

Please paste the "show run" from the switch and show version.

-amit singh

chris.king@csu-... Wed, 11/05/2008 - 07:43

3750-LL-1#show version

Cisco Internetwork Operating System Software

IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Sun 09-Jan-05 00:09 by antonino

Image text-base: 0x00003000, data-base: 0x0099748C

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWARE (fc2)

3750-LL-1 uptime is 1 year, 48 weeks, 5 days, 21 hours, 46 minutes

System returned to ROM by power-on

System image file is "flash:c3750-i9-mz.122-20.SE4.bin"

cisco WS-C3750-48P (PowerPC405) processor (revision D0) with 118784K/12280K bytes of memory.

Processor board ID CAT0847R1TY

Last reset from power-on

2 Virtual Ethernet/IEEE 802.3 interface(s)

192 FastEthernet/IEEE 802.3 interface(s)

16 Gigabit Ethernet/IEEE 802.3 interface(s)

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:12:80:9D:7B:00

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT08470DAE

Power supply serial number : LIT08440AFH

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R1TY

SFP Module assembly part number : 73-7757-02

SFP Module revision Number : A0

SFP Module serial number : CAT0843076Q

Top Assembly Part Number : 800-21980-02

Top Assembly Revision Number : B0

Version ID : N/A

Hardware Board Revision Number : 0x0C

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

1 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

2 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

3 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

* 4 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

Switch 01

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes

Base ethernet MAC Address : 00:12:80:DB:7D:80

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT0848010K

Power supply serial number : LIT08440A5G

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R27Q

SFP Module assembly part number : 73-7757-02

SFP Module revision number : A0

SFP Module serial number : CAT084501J8

Top assembly part number : 800-21980-02

Top assembly revision number : B0

Version ID : N/A

Switch 02

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 42 minutes

Base ethernet MAC Address : 00:12:80:9D:9E:80

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT08470D8T

Power supply serial number : LIT084409VW

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R1S5

SFP Module assembly part number : 73-7757-02

SFP Module revision number : A0

SFP Module serial number : CAT08430CHK

Top assembly part number : 800-21980-02

Top assembly revision number : B0

Version ID : N/A

Switch 03

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes

Base ethernet MAC Address : 00:12:80:DB:72:80

Amit Singh Wed, 11/05/2008 - 07:51

The config for the switch that you are working on currently with the port-security with you PC and Ip phones.

chris.king@csu-... Wed, 11/05/2008 - 07:55

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 3750-LL-1

!

logging buffered 131072 debugging

!

clock timezone MEZ 1

clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00

switch 1 provision ws-c3750-48p

switch 2 provision ws-c3750-48p

switch 3 provision ws-c3750-48p

switch 4 provision ws-c3750-48p

ip subnet-zero

no ip source-route

!

vtp domain csu-bayern.de

vtp mode transparent

cluster enable 3750-LL-C1 0

!

mls qos srr-queue input cos-map queue 1 threshold 1 5

mls qos srr-queue input cos-map queue 2 threshold 1 6 7

mls qos

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

power inline consumption default 7000

!

!

vlan 2

name data

!

vlan 7

name admin

!

vlan 10

name voice

!

vlan 4093

name csu-default

!

vlan 4094

name csu-native

!

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 4

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0003.ff53.553c

switchport port-security mac-address sticky 001e.c952.553c

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

francisco_1 Wed, 11/05/2008 - 08:14

for a test have you tried to input the phone mac address manually "switchport port-security mac-address [phone mac address]".

Francisco

chris.king@csu-... Thu, 11/06/2008 - 00:52

OK Francisco - I'll give it a try.

So after entering the ip phone address (switchport port-security mac-address 0001.e324.6f48) I have the following results:

750-LL-1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

2 0001.e324.6f48 SecureConfigured Fa1/0/1 -

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

As you can see, the phone has 2 entries, one as SecureConfigured and one as SecureDynamic.

But with different VLANS!

Now the best thing here would be to reduce the maximum allowed macs to 3, right. Lets try:

3750-LL-1(config-if)#switchport port-security maximum 3

Maximum is less than number of currently secured mac-addresses.

Baaaaaaaaaaaaaah!

So now I will try to sum this one up:

I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .

My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) so I have set the maximum of allowed mac addresses to 3. I have also enabled the

mac-address sticky function which should convert to already learned macs (Securedynamic) into SecureSticky macs. This works for the pcs but not for the ip phone.

The ip phone remains as a Securedynamic address. After entering the ip phone address as a SecureConfigured address, the phone appears twice in the Secure Mac Address Table.

The result of this is that my phone is not included in my switchport port-security policy and I cannot prevent somebody unplugging a phone and plugging in a non-trustred pc

into my network. Eeeek!

So after reading the release notes, I have got this to work with:

When a voice VLAN is configured on a secure port that is also configured as a sticky secure port,

all addresses on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on

the access VLAN to which the port belongs are learned as sticky secure addresses.

• You cannot configure static secure MAC addresses in the voice VLAN.

What I don not understand is why my SecureDynamic macs do not work with my port-security settings.

andrew.butterworth Thu, 11/06/2008 - 03:53

By default the IP Phone does not know the Voice VLAN Tag so when it initially boots up it will appear on the access VLAN. As soon as CDP kicks in it will then begin to transmit packets with the Voice VLAN tag so you will see two entries in the CAM table (and port-security table). There was a behaviour change in IOS whereby once the switch saw CDP from the IP Phone it would remove the MAC entry for it from the access VLAN.

I think this came in 12.2(35)SE so I would suggest you upgrade the IOS (latest is 12.2(46)SE). I am not sure if this will solve the issue though as the phone will always initially appear on the access VLAN. However try it and see.

As an access-port template we normally deploy port-security to prevent people plugging in unauthorised hubs and switches. I have played around with sticky MAC addresses but almost always remove it due due to the administrative overhead.

Andy

chris.king@csu-... Thu, 11/06/2008 - 05:09

Thanks Andy for the detailed information.

We use access lists as well but with 192 FE ports per stack, this is terrilble!

What I don't get is that if I have 2 SecureSticky nodes (PCs) and 1 SecureDynamic node (telephone) as shown here:

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

why doesn't the 'switchport port-security violation restrict' action kick in if my limit of 3 macs if violated. Doesn't it take the SecureDynamic macs into account?

Thanks again,

Chris

chris.king@csu-... Thu, 11/06/2008 - 05:44

Now I get it, the dynamic entries are really dynamic and as soon as I unplug a node, the macs are released from the switch unless I use the sticky commands.

Chris

chris.king@csu-... Thu, 11/06/2008 - 08:34

Reply to my own posting here!

What I am trying to do will not work.

Maybe this will help somebody else who would like to set up port security with a voice VLAN. The ip phone mac is picked up as 'SecureDynamic' and cannot be converted to a 'static' record. This means that as soon as you unplug the ip phone, this record is removed from the switch and an intruder can break into your network by plugging in a notebook.. The only way to protect your ports with ip phones is to use access-lists that must be manually edited, thus creating loads of work when you have stacks with 192 FE ports like us. This is not a moan, but I would just like to put this down as I see it and of course thank all of the advice that I got. I have also learned alot during these 2 days and will check the release notes of later IOS versions to see if an update can help. If so I will be updating over christmas (we have a 24/7 network) if I get the offline time. If anybody has another idea, please let me know and I will get the virtual beers in.

regards, Chris

Actions

This Discussion