Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port-Security blocking on 1 mac

Hi,

This is my first attempt at adding port-security but it looks like it should work to me. i'm trying to set a port so that users can only put 1 device on the end...for phones, the phone itself and 1 pc on the end. An example of my port is as follows:

interface FastEthernet0/6

switchport trunk encapsulation dot1q

switchport mode access

switchport voice vlan 141

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

However, when a single user adds a single pc (or phone and pc) to these ports it goes into lockdown.

What am i missing?

3 REPLIES
New Member

Re: Port-Security blocking on 1 mac

Hi,

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.

"switchport port-security maximum 2 vlan access"

Will work

Routing and Switching Forums: http://www.routerie.com

Security Forums: http://www.securityie.com

Voice Forums: http://www.voiceie.com

New Member

Re: Port-Security blocking on 1 mac

Is this because the phone starts in the "access" vlan for the first cdp packet when it powers up (poe/vlan)?

in that case would

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

work?

Hall of Fame Super Bronze

Re: Port-Security blocking on 1 mac

Is this because the phone starts in the "access" vlan for the first cdp packet when it powers up (poe/vlan)?

Well said - that's the reason why you need to allow to MAC-Addresses in the data Vlan.

Yes, your example will work.

___

Edison.

250
Views
0
Helpful
3
Replies
CreatePlease login to create content