03-12-2008 07:11 AM - edited 03-05-2019 09:42 PM
Is it possible to deny access to a port when power was NOT granted?
used for: deny access to eg laptops (who don't need PoE) - they should not be connected to a port which is used for ip phones (which DO use PoE)
03-12-2008 09:02 AM
What switch platform are you on? Some of these security features can vary platform to platform.
03-12-2008 10:36 AM
catalyst 3560
03-12-2008 10:07 AM
Eh, I'll just post it anyway. There's a new feature (introduced in 12.2(37)SE) for the 3[67]50 called switchport voice detect.
Toggle that on an interface and this is what happens:
Phone plugged in:
*Mar 1 00:17:25.874: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:17:26.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 00:17:30.530: %CPDE-6-DETECT: Cisco IP Phone 7940 detected on FastEthernet0/1 in full duplex mode
PC plugged in directly:
*Mar 1 00:11:40.801: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:11:41.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 00:12:51.366: %CPDE-6-DETECT: Device detected on FastEthernet0/1 violating configuration
*Mar 1 00:12:51.366: %PM-4-ERR_DISABLE: security-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
*Mar 1 00:12:52.372: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Mar 1 00:12:53.379: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
It does take a bit (~1 min), note the timestamps on the logs entries. This is the interface afterwards:
Switch#sh interfaces f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Its not a bad feature, especially for unsecured areas. Suggestions:
*) I would like to see it clamp down on the wire a little quicker, perhaps a configurable timer?
*) The err-disable state requires you to take action on the switch. I'd rather the port come back up on its own after some period of time. The feature's prolly using the same calls as bpdu-guard but then again I'd also like to see that reset on its own.
*) Rolling the feature out to the other switching platforms would also be nice.
03-13-2008 12:51 AM
Seems like a nice feature, but we're not using cisco ip phones.
03-13-2008 06:27 AM
Then I think that you're down to locking the ports down via the MAC address of the phones you're using. There's nothing that I can think of that toggles port states based on PoE. I guess *maybe* you could write something with TCL and combine it with with EEM. That's a big maybe tho.
03-13-2008 06:30 AM
ok - thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide