×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Port Security

Unanswered Question
Sep 23rd, 2009
User Badges:

Hi, we have switch port security configured in our network.we have problem which seems to be related to IP phones. the IP phones seems to change the middle part of the MAC and the switch port shutdown as it takes that as a violation.we had two incidents of this nature. only the Middle part of the MAC seem to change and then goes back to normal again.


Can someone assist as to what causes this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Wed, 09/23/2009 - 03:47
User Badges:
  • Cisco Employee,

Hello,


A phone should not change its MAC address, that would be a strange thing to do. Can you post an example of the two MAC addresses with their different "middle parts"? Is it certain that the phones are responsible for this problems? Isn't it a routine MAC-spoofing attack?


Best regards,

Peter


emmanuel.shoroma Thu, 09/24/2009 - 21:59
User Badges:


Hi,


Thanks for the reply. I also agree it is a strange thing but this happens for the second time and everytime wee trace the mac addresses, are mac addresses are Cisco MAC addresses and with a slight change/difference. see mac-addresses below


1. 001e.4a34.db0F - The correct MAC Address(IP Phone)

2. 001e.be91.db0F - The cause of the problem / spoofed MAC address


dario.didio Thu, 09/24/2009 - 23:48
User Badges:
  • Silver, 250 points or more

Hi,


when using port-security in combination with an IP phone and a PC behind the phone, you should allow 3 MAC addresses in your port-security config.


One for the PC, one for the Phone and one for the internal switch of the phone.


HTH,

Dario

davy.timmermans Fri, 09/25/2009 - 01:09
User Badges:
  • Silver, 250 points or more

This extra configuration should be sufficient:


switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice


It's because the phone sends at startup an untagged packet to the switch in order to discover the voice vlan.



emmanuel.shoroma Fri, 09/25/2009 - 08:48
User Badges:


thanks for the reply. From what I understand I need to configure three MAC addresses in total. Then how do I then get this phone's internal mac-address? there is only one mac-address of the phone.


the other thing we implemented switchport security for almost 2years now and we had only two issues of this kind. all the other ports are configured with maximum of two and configured the mac-address of the phones and the PC.

Actions

This Discussion