cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2750
Views
0
Helpful
11
Replies

Mac based security on 3560E

love4u.pratik
Level 1
Level 1

Hello,

               I am having all 3560E as my edge switches. All the ports are having IP phones connected and PCs are connected to IP phones. I was looking forward to implement port based security.

              First of all is it a good practice to MAC based security in such environment ? Second are there any other options to make ports more secure ? Right now the ports are dynamic when i changed them to static with "switchport mode access" and gave commands like "switchport port-security" and "switchport port-security maximum 2" the port was shutdown and i there was no LED on it.

              Please suggest.

Regards,

Pratik Mavani

2 Accepted Solutions

Accepted Solutions

That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).

View solution in original post

Hello,

What code version you are running on the switch? In some of the older code

versions, the switch will learn the IP Phone MAC address both in data VLAN

as well as voice VLAN. When the IP Phone boots up, it will not know anything

about the Voice VLAN. Hence, it just comes up as a regular host and sends

untagged packets towards the switch. Switch will receive it in the native

VLAN and then handles it accordingly. The IP Phone will get an IP in the

data VLAN range first and then contacts the TFTP server for IP Phone

configuration. Once it downloads the configuration and realizes the voice

VLAN, it disassociates itself from the data VLAN and sends a new DHCP

request (tagged) on the voice VLAN. In the latest code (fixed) the switch

will remove the IP Phone MAC address association from the Data VLAN.

However, in the older code, the switch will not delete the MAC address from

the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP

Phone and one for the PC). So, it is OK to set the limit to 3 as long as the

duplicate MAC is of the IP Phone alone.

Hope this helps.

Regards,

NT

View solution in original post

11 Replies 11

Hi Pratik,

I'm know next to nothing about IP telephony, but from what I read I wanted to ask if you have configured the switchport security to use sticky addresses? i.e. 'switchport port-security mac-address sticky'

This will in conjunction with your maximum of 2 will learn the first two mac-address the switch sees on the port in question. Otherwise you have to hard-code the mac address.

Just a thought. Also saw this doc which may be of interest to you.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_example09186a0080722cdb.shtml#topic1

Cheers,

Conor

Hi Pratik,

I think Conor has got it nailed. When the "switchport port-security mac-address sticky" command is used, then all MAC addresses dynamically learned on that port are added to the running configuration. As a result, if two old MAC addresses have been learned and you have configured the port for a maximum of two addresses, then the port will error disable.

You can view the status of the port using "show port-security interface" command. If old MAC addresses have been learned use the "clear port-security" command to clear old entries.

Regarding voice - I would usually configure a user port with the following characteristics.

  • Access port
  • Voice VLAN
  • Port Security - Max 3 MAC addresses, dynamically learned not sticky
  • Service Policy - for setting QoS on Voice traffic

Cheers

Stephen

That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).

hi collin,

I did the same configuration as described by stephen but when i do it sticky the port gets blocked.

When i read in a cisco guide, it says 802.1x can only be done on point to point ports, that is direct workstations connecting to switch or for wireless. In my scenario i have IP phones connected to switch and machines connected to IP Phones

ok i applied the configuration with 3 mac and it is working...

switch#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
     Gi0/27              2            0                  1         Shutdown
     Gi0/28              3            2                  0         Shutdown
---------------------------------------------------------------------------

but i didn't understood one thing that why i need to keep maximum 3 addresses ? It shows secure address count 2, it learns 2 address, once of PC and one of IP phone i suppose but when i configure max address 2, it shut downs that port. If i keep maximum mac address as 3, which is the 3rd mac address is it the port's mac address ???

  • Thank you all.
  • Stephen if i do the following kind of configuration

  • Access port
  • Access VLAN
  • Voice VLAN
  • Port Security - Max 3 MAC addresses, dynamically learned not sticky
  • Service Policy - for setting QoS on Voice traffic
  • and if i do it dynamically learned not sticky, in that case when i connect my phone and computer to a single port, switch learns first two address dynamically now when i remove the PC or phone and any other user connects he also will get the connectivity seamlessly right ? i want to avoid users from moving their latops from one point to another without IT's intervention.

    Hi Pratik,

    If you want to tie the ports down to only the laptop and phone then I would recommend the following.

    • Configure port security for sticky MAC addresses - #switchport port-security mac-address sticky
    • Set a maximum of two allowed MAC addresses - #switchport port-security maximum 2
    • Clear any current port security MAC address entries - #clear port-security interface x\x
    • Connect the IP Phone to the switch port and the laptop to the IP Phone

    This should ensure that the first two MAC addresses learnt on the port are the IP phone and the laptop. In addition, it will ensure that nothing else at all can be connected to the switch without IT intervention.


    Finally, the access ports configured with a data VLAN and a voice VLAN will still be treated as P2P ports. As a result, you can run 802.1X on them. This is slightly more complicated and requires an external authentication server. However, it offers a more robust solution.

    Cheers

    Stephen

    hi stephen,

                I actually tried to configure port security on a fresh port. But i still need to keep maximum as 3 mac addresses. First i tired with 2 mac addresses but as soon i connect the port it goes into errdisable state. when i keep maximum as 3 it works fine.

    Thanks and Regards,

    Pratik Mavani

    Hello,

    What code version you are running on the switch? In some of the older code

    versions, the switch will learn the IP Phone MAC address both in data VLAN

    as well as voice VLAN. When the IP Phone boots up, it will not know anything

    about the Voice VLAN. Hence, it just comes up as a regular host and sends

    untagged packets towards the switch. Switch will receive it in the native

    VLAN and then handles it accordingly. The IP Phone will get an IP in the

    data VLAN range first and then contacts the TFTP server for IP Phone

    configuration. Once it downloads the configuration and realizes the voice

    VLAN, it disassociates itself from the data VLAN and sends a new DHCP

    request (tagged) on the voice VLAN. In the latest code (fixed) the switch

    will remove the IP Phone MAC address association from the Data VLAN.

    However, in the older code, the switch will not delete the MAC address from

    the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP

    Phone and one for the PC). So, it is OK to set the limit to 3 as long as the

    duplicate MAC is of the IP Phone alone.

    Hope this helps.

    Regards,

    NT

    Thank you so much NT that was really really helpful. Actually yes, it is showing 2 same MAC address in voice and data VLAN and one MAC address of my PC in Data VLAN

    I am running 12.2(35)SE5 on cisco 3560E and IOS is universal-M, so as per your statement i think this could be the reason.

    Hi Pratik,

    If you run the following command it will show you the actual MAC addresses learned on the port - this might tell you what's going on.

    #show port-security interface gi 0/27 address

    Cheers

    Stephen

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: