Thanks for the quick reply.

I have raised it to 4 and it looks like this:

3750-LL-1#show port-security inter fa1/0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 4

Total MAC Addresses : 3

Configured MAC Addresses : 0

Sticky MAC Addresses : 2

Last Source Address : 0001.e324.6f48:10

Security Violation Count : 0

3750-LL-1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

Thanks again,

Chris

Chris,

Did you do a write mem after configuring the port-security sticky on the port. You need to do a write mem in order to have all the mac-addresses added to the running-config of the switch.

-amit singh

Just did it.

Same result :-(

Chris

Chris,

Please paste the "show run" from the switch and show version.

-amit singh

3750-LL-1#show version

Cisco Internetwork Operating System Software

IOS (tm) C3750 Software (C3750-I9-M), Version 12.2(20)SE4, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Sun 09-Jan-05 00:09 by antonino

Image text-base: 0x00003000, data-base: 0x0099748C

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWARE (fc2)

3750-LL-1 uptime is 1 year, 48 weeks, 5 days, 21 hours, 46 minutes

System returned to ROM by power-on

System image file is "flash:c3750-i9-mz.122-20.SE4.bin"

cisco WS-C3750-48P (PowerPC405) processor (revision D0) with 118784K/12280K bytes of memory.

Processor board ID CAT0847R1TY

Last reset from power-on

2 Virtual Ethernet/IEEE 802.3 interface(s)

192 FastEthernet/IEEE 802.3 interface(s)

16 Gigabit Ethernet/IEEE 802.3 interface(s)

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 00:12:80:9D:7B:00

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT08470DAE

Power supply serial number : LIT08440AFH

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R1TY

SFP Module assembly part number : 73-7757-02

SFP Module revision Number : A0

SFP Module serial number : CAT0843076Q

Top Assembly Part Number : 800-21980-02

Top Assembly Revision Number : B0

Version ID : N/A

Hardware Board Revision Number : 0x0C

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

1 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

2 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

3 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

* 4 52 WS-C3750-48P 12.2(20)SE4 C3750-I9-M

Switch 01

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes

Base ethernet MAC Address : 00:12:80:DB:7D:80

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT0848010K

Power supply serial number : LIT08440A5G

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R27Q

SFP Module assembly part number : 73-7757-02

SFP Module revision number : A0

SFP Module serial number : CAT084501J8

Top assembly part number : 800-21980-02

Top assembly revision number : B0

Version ID : N/A

Switch 02

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 42 minutes

Base ethernet MAC Address : 00:12:80:9D:9E:80

Motherboard assembly number : 73-8310-07

Power supply part number : 341-0029-03

Motherboard serial number : CAT08470D8T

Power supply serial number : LIT084409VW

Model revision number : D0

Motherboard revision number : A0

Model number : WS-C3750-48PS-S

System serial number : CAT0847R1S5

SFP Module assembly part number : 73-7757-02

SFP Module revision number : A0

SFP Module serial number : CAT08430CHK

Top assembly part number : 800-21980-02

Top assembly revision number : B0

Version ID : N/A

Switch 03

---------

Switch Uptime : 1 year, 48 weeks, 5 days, 21 hours, 41 minutes

Base ethernet MAC Address : 00:12:80:DB:72:80

The show run is too big.

which parts of it do you need?

regards,

Chris

The config for the switch that you are working on currently with the port-security with you PC and Ip phones.

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 3750-LL-1

!

logging buffered 131072 debugging

!

clock timezone MEZ 1

clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00

switch 1 provision ws-c3750-48p

switch 2 provision ws-c3750-48p

switch 3 provision ws-c3750-48p

switch 4 provision ws-c3750-48p

ip subnet-zero

no ip source-route

!

vtp domain csu-bayern.de

vtp mode transparent

cluster enable 3750-LL-C1 0

!

mls qos srr-queue input cos-map queue 1 threshold 1 5

mls qos srr-queue input cos-map queue 2 threshold 1 6 7

mls qos

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

power inline consumption default 7000

!

!

vlan 2

name data

!

vlan 7

name admin

!

vlan 10

name voice

!

vlan 4093

name csu-default

!

vlan 4094

name csu-native

!

interface FastEthernet1/0/1

switchport access vlan 2

switchport mode access

switchport voice vlan 10

switchport port-security

switchport port-security maximum 4

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0003.ff53.553c

switchport port-security mac-address sticky 001e.c952.553c

priority-queue out

mls qos trust cos

no mdix auto

fair-queue

spanning-tree portfast

for a test have you tried to input the phone mac address manually "switchport port-security mac-address [phone mac address]".

Francisco

OK Francisco - I'll give it a try.

So after entering the ip phone address (switchport port-security mac-address 0001.e324.6f48) I have the following results:

750-LL-1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

2 0001.e324.6f48 SecureConfigured Fa1/0/1 -

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

As you can see, the phone has 2 entries, one as SecureConfigured and one as SecureDynamic.

But with different VLANS!

Now the best thing here would be to reduce the maximum allowed macs to 3, right. Lets try:

3750-LL-1(config-if)#switchport port-security maximum 3

Maximum is less than number of currently secured mac-addresses.

Baaaaaaaaaaaaaah!

So now I will try to sum this one up:

I'm trying to set up port-security on my network using sticky mac addresses instead of manually entering the macs to reduce the workload on my colleagues .

My switch port has a maximum of 3 nodes on it (1 PC, 1 telephone and 1 VM) so I have set the maximum of allowed mac addresses to 3. I have also enabled the

mac-address sticky function which should convert to already learned macs (Securedynamic) into SecureSticky macs. This works for the pcs but not for the ip phone.

The ip phone remains as a Securedynamic address. After entering the ip phone address as a SecureConfigured address, the phone appears twice in the Secure Mac Address Table.

The result of this is that my phone is not included in my switchport port-security policy and I cannot prevent somebody unplugging a phone and plugging in a non-trustred pc

into my network. Eeeek!

So after reading the release notes, I have got this to work with:

When a voice VLAN is configured on a secure port that is also configured as a sticky secure port,

all addresses on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on

the access VLAN to which the port belongs are learned as sticky secure addresses.

• You cannot configure static secure MAC addresses in the voice VLAN.

What I don not understand is why my SecureDynamic macs do not work with my port-security settings.

By default the IP Phone does not know the Voice VLAN Tag so when it initially boots up it will appear on the access VLAN. As soon as CDP kicks in it will then begin to transmit packets with the Voice VLAN tag so you will see two entries in the CAM table (and port-security table). There was a behaviour change in IOS whereby once the switch saw CDP from the IP Phone it would remove the MAC entry for it from the access VLAN.

I think this came in 12.2(35)SE so I would suggest you upgrade the IOS (latest is 12.2(46)SE). I am not sure if this will solve the issue though as the phone will always initially appear on the access VLAN. However try it and see.

As an access-port template we normally deploy port-security to prevent people plugging in unauthorised hubs and switches. I have played around with sticky MAC addresses but almost always remove it due due to the administrative overhead.

Andy

Thanks Andy for the detailed information.

We use access lists as well but with 192 FE ports per stack, this is terrilble!

What I don't get is that if I have 2 SecureSticky nodes (PCs) and 1 SecureDynamic node (telephone) as shown here:

2 0003.ff53.553c SecureSticky Fa1/0/1 -

2 001e.c952.553c SecureSticky Fa1/0/1 -

10 0001.e324.6f48 SecureDynamic Fa1/0/1 -

why doesn't the 'switchport port-security violation restrict' action kick in if my limit of 3 macs if violated. Doesn't it take the SecureDynamic macs into account?

Thanks again,

Chris

Now I get it, the dynamic entries are really dynamic and as soon as I unplug a node, the macs are released from the switch unless I use the sticky commands.

Chris