10-24-2007 07:44 AM - edited 03-15-2019 07:00 AM
My understanding is that when setting port security on POE ports that have Cisco phones and workstations plugged thru phone, is that you should allow three mac addresses.
one for workstation in workstation vlan
one for phone in workstation vlan
one for phone in voice vlan
When I set the security to three, I see two macs used and no more on those ports.
I have several phones only on some ports and set the mac to one on those and the phones work fine.
How should the security be set to for mac addresses on these workstation/phone ports?
Port config:
interface FastEthernet3/3
description
switchport
switchport access vlan 10
switchport mode access
switchport voice vlan 50
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0011.1234.1234
no ip address
wrr-queue cos-map 1 1 1
wrr-queue cos-map 1 2 0
wrr-queue cos-map 2 1 2 3 4 6 7
wrr-queue cos-map 2 2 5
mls qos trust cos
spanning-tree portfastShown is port security:
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
* 10 0011.1234.1234 static Yes - Fa3/3
* 50 0013.3456.3456 static Yes - Fa3/3
6509#sh port-sec int f3/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 5 mins
Aging Type : Inactivity
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0011.1234.1234
Last Source Address VlanId : 10
Security Violation Count : 0
10-24-2007 08:38 AM
Hey Wilson,
Check out this document:
The connection between the switch and the phone is not a trunk. One VLAN is tagged but the other does not need to be tagged since there are never going to be more than two (VLANs). As such there will be only two mac addresses learned by the switch, one for the IP phone and the other is the PC's mac address. Look at the macro config at the bottom of the URL stated above.
hth,
Ajaz
pls rate the post if it helped.
10-24-2007 10:00 AM
Thanks for the reply.
So, where did the idea of three mac addresses come from?
10-25-2007 01:15 AM
I'm not sure where '3' came from. I certainly have not read about that anywhere, and having just sanity checked this question with few of my colleagues - the consensus is that switchports with IP phones attached will learn about two mac addresses when a PC is attached to the IP phones PC port. The mac addr for the IP phone will represent one of those address. And, of course as you know the other mac addr will match the PC nic.
However, if the goal is to ensure IP phones do not share their switchport, then only a single mac address will be learned when you apply:
switchport port-security maximum 1
No doubt you are aware of this command but it's just for the benefit of others.
hth,
Ajaz
10-25-2007 01:26 AM
Ah! Wilson,
Here is one reference that I found for three mac's addresses but it's a workaround to a field notice.
http://www.cisco.com/en/US/products/hw/phones/ps379/products_field_notice09186a008031575e.shtml
hth,
Ajaz :-)
pls rate this post if it helped.
10-25-2007 09:49 AM
Thank you for the reply.
I tried the qty 2 for the phone/workstation and it worked fine as far as allowing the devices to connect, as long as these were the devices that have been on the port all along.
I read somewhere that makes sense that if the DHCP address is gotten from the data VLAN (the second mac) and then the phone is brought up in the voice VLAN (the third mac), it could use three. Our voice DHCP is in the voice VLAN
However, there are somethings I do not understand about port security that are happeneing that maybe you can help me with.
I encountered the following on two different ports.
I configured a phone port as shown below, unplugged the existing phone and plugged in another and it came up just fine.
after that, I put the original phone mac address in rather than the "max 1" command and the port kept shutting down due to violation after plugging the original phone back in.
I had another problem where a workstation was trying to plug into a phone with one mac allowed. This port shut down as expected, but when Ichanged the config to allow two address, it kept shutting down when both devices were on teh port, I was able to remove the phone and the user was able to connect, but the phone kept shutting down the port.
It seems the phones are doing weird things with the security.
My questions are:
Does the config shown allow "ANY" single mac address on the port?
Shouldn't the stickey add the mac from dynamic to static on the port and should have been grabbed by the first phone?
What are the aging parts doing, is this port "holding" the mac for 5 minutes?
Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?
It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.
I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.
switchport port-security
switchport port-security aging time 5
switchport port-security violation shutdown
switchport port-security aging type inactivity
switchport port-security mac-address sticky
10-26-2007 06:48 AM
My questions are:
Does the config shown allow "ANY" single mac address on the port?
Shouldn't the sticky add the mac from dynamic to static on the port and should have been grabbed by the first phone?
Port Security with Sticky MAC Addresses
Release 12.2(18)SXE and later releases support port security with sticky MAC addresses. Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
If you enter a write memory or copy running-config startup-config command, then port security with sticky MAC addresses saves dynamically learned MAC addresses in the startup-config file and the port does not have to learn addresses from ingress traffic after bootup or a restart.
What are the aging parts doing, is this port "holding" the mac for 5 minutes?
Please take two minutes to read the section with the heading 'Configuring Secure MAC Address Aging on a Port'
When the aging type is configured with the absolute keyword, all the dynamically learned secure addresses age out when the aging time expires. When the aging type is configured with the inactivity keyword, the aging time defines the period of inactivity after which all the dynamically learned secure addresses age out.
When enabling port security with sticky MAC addresses, note the following information:
⢠When you enter the switchport port-security mac-address sticky command:
- dynamically learned secure MAC addresses on the port are converted to sticky secure MAC addresses.
- secure MAC addresses are not converted to sticky MAC addresses.
- MAC addresses dynamically learned in a voice VLAN are not converted to sticky MAC addresses.
- dynamically learned secure MAC addresses are sticky.
Would the port keep shutting down after entering the mac because the second phone mac-address I tried was in the port?
It seems that with "sticky" configured, the original phone would have entered the mac as a static address and not let me boot the second phone at all, but that was not the case.
I was able to put the first phone on the port and boot, then put the second phone on the port, remove it and put the first one back.
switchport port-security
switchport port-security aging time 5
switchport port-security violation shutdown
switchport port-security aging type inactivity
switchport port-security mac-address sticky
-------------------------------------------------------------
I must admit - it took me a few times to get my head round it but the intricacies around port security provided in the URL above is correct.
hth,
Ajaz
10-29-2007 09:11 AM
Ok, and forgive me if this is obviouse in the material you have provided, but.
It seems that I cannot get away from using a dynamic address when using a phone and workstation on the same port.
If I use static mac addresses, I can configure the phone, and workstation macs statically, but must allow three entries (I have tried this and this is true), this allows on dynamic mac on the port:
interface FastEthernet4/41
switchport
switchport access vlan 10
switchport mode access
switchport voice vlan 50
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security mac-address 0013.1234.1234
switchport port-security mac-address 0018.2345.2345
no ip address
wrr-queue cos-map 1 1 1
wrr-queue cos-map 1 2 0
wrr-queue cos-map 2 1 2 3 4 6 7
wrr-queue cos-map 2 2 5
mls qos trust cos
spanning-tree portfast
end
2#sh port-sec int f4/41
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 5 mins
Aging Type : Inactivity
Maximum MAC Addresses : 3
Total MAC Addresses : 3
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address : 0013.1234.1234
Last Source Address VlanId : 50
Security Violation Count : 0
2#sh mac-address int f4/41
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
* 10 0018.2345.2345 static Yes - Fa4/41
* 50 0013.1234.1234 static Yes - Fa4/41
* 10 0013.1234.1234 static Yes - Fa4/41
If I configure the port for sticky and qrty of 2 max addresses, it does not enter the phone mac address as a secure address, which leaves still a dynamic allowed address.
How would I configure the port to allow a workstation and phone while preventing someone from unplugging this workstation and phone and plugging their laptop
10-30-2007 05:37 AM
PART REPLY#1 .This is a two part reply because of restrictions in the number of characters in the text.
Ok Richard - I've done a bit more looking into this as well as some testing.
First things first:
"How would I configure the port to allow a workstation and phone while preventing someone from unplugging this workstation and phone and plugging their laptop"
------------------------------------------
mac access-list extended IPphone_&_PC
permit host 0014.f2f8.f50e any
permit host 001c.2300.7e76 any
Switch(config)# interface fastethernet 0/1
Switch(config-if)# mac access-group IPphone_&_PC in
------------------------------------------
So it's good to know that there is a way we can totally dictate what is and what isn't allowed.
Now let's return to our favorite friend 'switchport port-security'
Switch#show run in fastEthernet 0/10
interface FastEthernet0/10
switchport mode access
switchport voice vlan 222
switchport port-security maximum 3
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 0014.f28f.f50e
switchport port-security mac-address 001c.2300.7e76
spanning-tree portfast
switch#
Switch#show port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0014.f28f.f50e SecureConfigured Fa0/10 -
1 001c.2300.7e76 SecureConfigured Fa0/10 -
222 0014.f28f.f50e SecureDynamic Fa0/10 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 3
------------------------------------------------------------------------
10-30-2007 05:38 AM
PART REPLY #2
As you have probably gathered through your own testing that the IP phone mac-address is learned on two VLAN's. They are of course the voice and access vlans. I have hardcoded two mac-addresses into the switchport configured as follows:
interface FastEthernet0/10
switchport mode access
switchport voice vlan 222
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 0014.f28f.f50e
switchport port-security mac-address 001c.2300.7e76
spanning-tree portfast
-------------------------
With this config the switch allows only two mac-address and this should be expected:
Switch#show mac address interface fastEthernet 0/10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0014.f28f.f50e STATIC Fa0/10
1 001c.2300.7e76 STATIC Fa0/10
Total Mac Addresses for this criterion: 2
-------------------------------------------
The problem with this is that although the phone has established CDP neighborship with the switch a this point (see below), the phone then attempts to begin using the voice vlan. This is considered by the switch as a new mac-address even though it has already registered with it's mac-address on the access VLAN.
Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
SEP0014F28FF50E Fas 0/10 179 H P IP Phone Port 1
Switch#
---------------------------------------------
The way it is possible to enter 'switchport port-security 2' is to enter the interface configuration prompt and issue 'no switchport port-security'. Follow this by hard coding the two mac-addresses that you want. Then re-apply 'switchport port-security' followed by switchport port-security max 2. This will prevent the phone from communicating on the voice vlan completely. You don't even have to restart the phone to see this result. So after this enter the interface configuration and type 'switchport port-security max 3'. As soon as you hit enter the phone will re-register.
In conclusion then I think it's fairly safe to say that both mac acls and switchport security provide fairly robust mechanisms to ensure that any unwanted attempt to access network resources can be thwarted. But there is drawback with switchport port-security in the scenario where switchports are configured for IP phone connectivity. And in more specific terms that is by having to allow '3' addresses just to get the IP Phone up and running, you leave your network open to access by an undefined '3rd' host on that particular configured switch port.
IMO switchport security would work well in a situation where there was no voice or auxilary vlan. But clearly we can see there are some shortcomings with this approach. However, if the network environment that you manage needs to be secured in order to overt such risks then mac acls will have to be considered. Additional or excess config, increased administration overhead will be the result - but is that worth the security tradeoff?
I will be emailing Cisco vulnerability folks (psirt) with my findings
hth,
Ajaz
10-30-2007 06:32 AM
Wow,
Thanks for the great information.
I thought it was just me thinking the security was not what was needed to REALLY prevent someone from removing exising phone/pc and getting on the network.
I looked at the mac access-list as well.
The having to allow the dynamic mac for the phone is the killer.
Something else to try, I got this from Cisco TAC:
"I found in the 3560 config guide for
12.2(25)SEE that you can statically set the mac address for the data and
voice vlan. I also tried it in the lab to verify because I hadnt seen it
used before.
The interface commands are -
switchport port-security (mac-address) vlan access
switchport port-security (mac-address) vlan voice
So this should be all that you need. However, with this setup, you are
locking in that host on vlan 250, meaning the PC cant connect on any other
port, nor will any other PC be able to connect to this port."
10-30-2007 07:56 AM
Thanks a lot. I didn't know that.
It was a pleasure to help and thanks for the ratings. I have voted for your post too ; )
this is a great way to learn.
take care & all the best
Ajaz :-)
11-09-2007 01:58 PM
I used port-security on the ports I can nail down with a single mac-address.
On the workstation-phone ports, the access-list works great.
What I like about it is you can have all the workstations and phones in a single access-list, then apply that to a range of ports and those people can go anywhere in the rang of ports with no problem, no one else has access.
What are your thoughts as this being the only security on those ports?
Port-security will shut down the port, but the access-list does not.
11-09-2007 10:41 PM
Hey Richard
Hope all is well.
What are your thoughts as this being the only security on those ports?
Port-security will shut down the port, but the access-list does not.
What d'ya say?
regards
Ajaz
11-10-2007 11:02 AM
Ajaz,
Many thanks for the information you provided in this post.
I learn alot from this forum.
The administration is a pain in the security feature.
I work in a bank, so security is #1 with auditors.
I do like the access-list much better, but one thing:
It looks like you can not add/subtract a single line in the mac access-list, which would make it even better.
Am I wrong about that? Is it possible to add or remove a single mac from the access-list?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: