Port security on 6500 sticky not working on voice vlan.

Answered Question
Mar 16th, 2011

I have port security configured on several 6500 ports. IOS version 12.2(33)SXH5. I configured for stickly addresses, but only the PC on the data vlan shows as sticky.  The MAC of the phone shows as dynamic.

When I configure a 3750 switch the same way with a PC and phone, both MAC addresses show up as sticky.

Below is the pertinant config and output of a couple show commands (I deleted the QOS commands for simplicity). Any idea why the phone MAC doesn't get sticky?

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c430.b183

spanning-tree portfast
end

Eng-6503E#sh port-security int g3/29
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 001b.4f2d.5920
Last Source Address VlanId : 920
Security Violation Count   : 0

Eng-6503E#

Eng-6503E#sh port-security int g3/29 address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)   
----    -----------       ----                -----   -------------
920    001b.4f2d.5920    SecureDynamic       Gi3/29       -
2005    001c.c430.b183    SecureSticky        Gi3/29       -
-------------------------------------------------------------------
Total Addresses: 2

I have this problem too.
0 votes
Correct Answer by Peter Paluch about 3 years 1 month ago

Hello,

According to the Configuration Guide for the SXH release at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1057168

Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.

In different IOS versions, this functionality may be available (as you have noticed on your 3560/3750 switch). I remember seeing lots of changes in the port security features in the last two years regarding their functionality with voice VLANs.

I am afraid there is no usable workaround available for this limitation. You could try to raise a TAC ticket for feature enhancement to possibly speed up the adoption of the feature into the series of 6500 series but that won't be immediate of course.

Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Cadet Alain Wed, 03/16/2011 - 12:03

Hi,

If you issued switchport port-security first then it learned the telephone mac first as dynamic and then the second one as sticky.

I would disable port-security with no switchport port-security, enter all the commands except switchport port-security and then apply this command.

Regards.

Alain.

jkeeffe Wed, 03/16/2011 - 13:00

I tried your suggestion but unfortunately it did not work as expected.  Here are the steps as you outlined:

**start with no port security on interface

sh int g3/29

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
spanning-tree portfast
end

**adding port security commands except 'switchport port-security'


Eng-6503E(config)#int g3/29                      
Eng-6503E(config-if)#switchport port-security maximum 2     
Eng-6503E(config-if)#switchport port-security mac-address sticky
Eng-6503E(config-if)#^Z
Eng-6503E#
Eng-6503E#sh run int g3/29
Building configuration...

Current configuration : 905 bytes
!
interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
end

**adding 'switchport port-security' to inferface:

Eng-6503E(config)#int g3/29                                 
Eng-6503E(config-if)#switchport port-security                  
Eng-6503E(config-if)#exit
Eng-6503E(config)#exit
Eng-6503E#

interface GigabitEthernet3/29
description CDE PC
switchport
switchport access vlan 2005
switchport mode access
switchport voice vlan 920
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
end

Eng-6503E#sh port-security int g3/29 address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)   
----    -----------       ----                -----   -------------
920    001b.4f2d.5920    SecureDynamic       Gi3/29       -
2005    001c.c430.b183    SecureSticky        Gi3/29       -
-------------------------------------------------------------------
Total Addresses: 2

Eng-6503E#

Any other ideas?

Correct Answer
Peter Paluch Wed, 03/16/2011 - 13:12

Hello,

According to the Configuration Guide for the SXH release at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html#wp1057168

Secure MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.

In different IOS versions, this functionality may be available (as you have noticed on your 3560/3750 switch). I remember seeing lots of changes in the port security features in the last two years regarding their functionality with voice VLANs.

I am afraid there is no usable workaround available for this limitation. You could try to raise a TAC ticket for feature enhancement to possibly speed up the adoption of the feature into the series of 6500 series but that won't be immediate of course.

Best regards,

Peter

Actions

Login or Register to take actions

This Discussion

Posted March 16, 2011 at 10:28 AM
Stats:
Replies:3 Avg. Rating:5
Views:409 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,745
4 7,088
5 6,747
Rank Username Points
135
83
80
69
38