Help with Port Security

Unanswered Question
Jul 4th, 2012
User Badges:

Dear All,


please help with the proper configuration that i should use to configure port security on cisco 2960 switch with the below setup



untitled.JPG                  

i saw two types of setup and i don`t know which one is correct or even better


1-

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

switchport voice vlan 12

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address x.x.x.x vlan voice                      >>     x.x.x.x is the ip phone mac

switchport port-security mac-address y.y.y.y                                     >>    y.y.y.y is the pc mac

spanning-tree portfast

2-

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

switchport voice vlan 12

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address x.x.x.x vlan voice                       >>     x.x.x.x is the ip phone mac

switchport port-security mac-address x.x.x.x                                       >>     x.x.x.x is the ip phone mac

switchport port-security mac-address y.y.y.y                                      >>    y.y.y.y is the pc mac

spanning-tree portfast


my other question beside first of which implementation is better is are these commands important to apply ?

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice


Thanks


Ali

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 07/04/2012 - 01:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ali.

the second configuration template is more correct because during IP phone boot phase it will first be in access data vlan and then later it will reboot and it will be in voice vlan.

So you need to take in account this in port security configuration providing space for two MAC addresses on the data access vlan


With the first configuration you may face issues in case the phone is rebooted with a PC connected to the PC port.


Hope to help

Giuseppe

Sandeep Choudhary Wed, 07/04/2012 - 01:47
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Ali,

Mr Larosa is absolutely right.

The IP Phone can use 2 mac adresses, so you need to set the appropriate number of maximum mac adresses. Try to set it to 3.

according to this document:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swvoip.html#wp1030836


When you enable port security on an interface that  is also configured with a voice VLAN, you must set the maximum allowed  secure addresses on the port to at least two plus the maximum number of  secure addresses allowed on the access VLAN. When the port is connected  to a Cisco IP phone, the IP phone requires up to two MAC addresses. The  address of the IP phone is learned on the voice VLAN, and it might or  might not be learned on the access VLAN. Connecting a PC to the IP phone  requires additional MAC addresses.



Regards

please rate if it helps.

Actions

This Discussion

Related Content