Thanks, i thought it should work, the problem is i'm getting

Jul 20 09:59:00.980 CDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred

, caused by MAC address 0013.7298.1d0c on port FastEthernet0/10.

This is the MAC of the PC attached to the phone.

Ideas on what to look at next?

JM

(agreed, vlan 1 is not optimal, but it's too much of a PITA to change it for this site at the moment).

'sh port-security int f0/10' will tell you how many addresses have been allocated.

if the old mac-address aren't timing out on time, you should adjust the timers.

Interesting, I think we're getting somewhere. If i do not have the statement "switchport port-security maximum 2" added in addition to my vlan specifics, it does not recognize more than 1 address.

interface FastEthernet0/10

switchport trunk encapsulation dot1q

switchport mode access

switchport voice vlan 141

switchport port-security maximum 2

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

If i take that out, then i go back to this:

Civic41#sho port-security interface f0/10

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0013.7298.1d0c:1

Security Violation Count : 1

bug?

Is it happening in all switchports?

I copied and paste your config on a switch and just made changes on the access vlan and voice vlan as they were created on the switch:

Rack1SW1(config-if)#do show run int f0/1

Building configuration...

Current configuration : 585 bytes

!

interface FastEthernet0/1

switchport access vlan 18

switchport mode access

switchport voice vlan 7

switchport port-security maximum 2

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

end

Rack1SW1(config-if)#do show port-sec int f0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000e.d780.3640:18

Security Violation Count : 0

BTW, you may want to change the maximum to 3 based on what I explained before.

Config should look like this:

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

Right, but does the base "switchport port-security maximum 3" even need to be there if the other two statements are there? i thought that statement was an older option before specifying vlans became an option?

Edison,

I have 2 3560s that are running IOS 12.2(50).

These two commands are not supported:

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

Here is the output

switch-1(config-if)#do sh run inter gi0/47

Building configuration...

Current configuration : 73 bytes

!

interface GigabitEthernet0/47

switchport port-security maximum 3

end

switch-1(config-if)#switchport port-security maximum 2 ?

if I try switchport port-security maximum 2, it will replace 3

Thanks,

Reza

1) You need to statically set to port to access 'switchport mode access'

2) You need to enter 'switchport port-security'

3) Then you can enter the other commands.

What is interesting is that with the switchport port-security maximum 2 set the system works with both my devices instead of setting it to maximum 3. So apparently the switch is smart enough not to look at the CDP packet on the phone's initial bootup and count it. Last i heard from Cisco it was the 3550s that still did that where you had to set it to 3.

sounds like my problem was not having the global maximum in there. I guess as long as it works :)

Edison,

Thanks,

I got it working on 3560s, but when I try the same commands on a 6500-E running 12.2(33)SXI, it does not like the commands at all.

Reza

By default, 6500 ports are L3 switchports and you must change it to L2 by typing 'switchport'.

Without seeing the config, it's hard to understand where the command failed.

Please take a moment and read the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html

Please remember to rate helpful posts