Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
2
Replies

Help with Port Security

ali16122012
Level 1
Level 1

‎07-04-2012 01:32 AM - edited ‎03-07-2019 07:36 AM

Dear All,

please help with the proper configuration that i should use to configure port security on cisco 2960 switch with the below setup

untitled.JPG                  

i saw two types of setup and i don`t know which one is correct or even better

1-

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

switchport voice vlan 12

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address x.x.x.x vlan voice                      >>     x.x.x.x is the ip phone mac

switchport port-security mac-address y.y.y.y                                     >>    y.y.y.y is the pc mac

spanning-tree portfast

2-

interface GigabitEthernet1/0/2

switchport access vlan 2

switchport mode access

switchport voice vlan 12

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address x.x.x.x vlan voice                       >>     x.x.x.x is the ip phone mac

switchport port-security mac-address x.x.x.x                                       >>     x.x.x.x is the ip phone mac

switchport port-security mac-address y.y.y.y                                      >>    y.y.y.y is the pc mac

spanning-tree portfast

my other question beside first of which implementation is better is are these commands important to apply ?

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

Thanks

Ali

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-04-2012 01:38 AM

Hello Ali.

the second configuration template is more correct because during IP phone boot phase it will first be in access data vlan and then later it will reboot and it will be in voice vlan.

So you need to take in account this in port security configuration providing space for two MAC addresses on the data access vlan

With the first configuration you may face issues in case the phone is rebooted with a PC connected to the PC port.

Hope to help

Giuseppe

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎07-04-2012 01:47 AM

Hi Ali,

Mr Larosa is absolutely right.

The IP Phone can use 2 mac adresses, so you need to set the appropriate number of maximum mac adresses. Try to set it to 3.

according to this document:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22ea/SCG/swvoip.html#wp1030836

When you enable port security on an interface that  is also configured with a voice VLAN, you must set the maximum allowed  secure addresses on the port to at least two plus the maximum number of  secure addresses allowed on the access VLAN. When the port is connected  to a Cisco IP phone, the IP phone requires up to two MAC addresses. The  address of the IP phone is learned on the voice VLAN, and it might or  might not be learned on the access VLAN. Connecting a PC to the IP phone  requires additional MAC addresses.

Regards

please rate if it helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card