Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no connection when no PoE

Is it possible to deny access to a port when power was NOT granted?

used for: deny access to eg laptops (who don't need PoE) - they should not be connected to a port which is used for ip phones (which DO use PoE)

6 REPLIES
Bronze

Re: no connection when no PoE

What switch platform are you on? Some of these security features can vary platform to platform.

New Member

Re: no connection when no PoE

catalyst 3560

Bronze

Re: no connection when no PoE

Eh, I'll just post it anyway. There's a new feature (introduced in 12.2(37)SE) for the 3[67]50 called switchport voice detect.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/command/reference/cli3.html#wp3163199

Toggle that on an interface and this is what happens:

Phone plugged in:

*Mar 1 00:17:25.874: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:26.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:17:30.530: %CPDE-6-DETECT: Cisco IP Phone 7940 detected on FastEthernet0/1 in full duplex mode

PC plugged in directly:

*Mar 1 00:11:40.801: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar 1 00:11:41.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

*Mar 1 00:12:51.366: %CPDE-6-DETECT: Device detected on FastEthernet0/1 violating configuration

*Mar 1 00:12:51.366: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

*Mar 1 00:12:52.372: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

*Mar 1 00:12:53.379: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

It does take a bit (~1 min), note the timestamps on the logs entries. This is the interface afterwards:

Switch#sh interfaces f0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Its not a bad feature, especially for unsecured areas. Suggestions:

*) I would like to see it clamp down on the wire a little quicker, perhaps a configurable timer?

*) The err-disable state requires you to take action on the switch. I'd rather the port come back up on its own after some period of time. The feature's prolly using the same calls as bpdu-guard but then again I'd also like to see that reset on its own.

*) Rolling the feature out to the other switching platforms would also be nice.

New Member

Re: no connection when no PoE

Seems like a nice feature, but we're not using cisco ip phones.

Bronze

Re: no connection when no PoE

Then I think that you're down to locking the ports down via the MAC address of the phones you're using. There's nothing that I can think of that toggles port states based on PoE. I guess *maybe* you could write something with TCL and combine it with with EEM. That's a big maybe tho.

New Member

Re: no connection when no PoE

ok - thanks for your help

382
Views
0
Helpful
6
Replies