04-23-2009 07:41 AM - edited 03-06-2019 05:21 AM
Hi,
This is my first attempt at adding port-security but it looks like it should work to me. i'm trying to set a port so that users can only put 1 device on the end...for phones, the phone itself and 1 pc on the end. An example of my port is as follows:
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode access
switchport voice vlan 141
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
no logging event link-status
storm-control broadcast level 20.00
storm-control multicast level 50.00
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree guard root
However, when a single user adds a single pc (or phone and pc) to these ports it goes into lockdown.
What am i missing?
04-23-2009 08:24 AM
Hi,
When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
"switchport port-security maximum 2 vlan access"
Will work
Routing and Switching Forums: http://www.routerie.com
Security Forums: http://www.securityie.com
Voice Forums: http://www.voiceie.com
04-23-2009 08:31 AM
Is this because the phone starts in the "access" vlan for the first cdp packet when it powers up (poe/vlan)?
in that case would
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
work?
04-23-2009 09:01 AM
Is this because the phone starts in the "access" vlan for the first cdp packet when it powers up (poe/vlan)?
Well said - that's the reason why you need to allow to MAC-Addresses in the data Vlan.
Yes, your example will work.
___
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: