As far as I'm aware, you can

daniel.asplund · ‎03-18-2014

I ran into an issue with the following commands wanting to apply port-security:
switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice

I want to have a setup where I allow 1 PC and 1 phone. I'm using sticky addresses and this works as expected if I have an existing port with a 1 PC and 1 phone.

The problem I'm seeing is with a port with only 1 PC connected. If I connect a second PC the MAC of the second PC is not blocked. The switch adds that MAC as the 2nd allowed sticky MAC address. Also, the switch removes these two lines automatically:

switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice

Anyone have seen the same behavior and can explain if this is by design for some reason or if it is a potential bug.

At the moment I have tested this on a Cat 4506 running 12.2(54).

Mike Williams · ‎03-18-2014

As far as I'm aware, you can't have both configurations on the same port. You either have a max per port or a max per vlan. As a side note, I have had a bad experience with using a max of 1 mac for the access vlan when using some phones if the phone gets doesn't properly use LLDP or CDP to join the voice vlan. Regards, Mike

daniel.asplund · ‎03-20-2014

Thx for the reply Mike.

Are you sure about the configuration types? Because if I only specifiy the lines with the "maximum vlan", it seems like the port will only allow 1 MAC address, which is the default what I understand.

I now have to see what is the best approach to apply this to all ports taking into consideration ports with none or only 1 devices connected. I was considering adding dummy mac addresses to all ports that lacks already 2 devices to be able to enforce that no new devices can connect. Any better ideas to go about this?

Mike Williams · ‎03-20-2014

Based on the behavior you are seeing, it is using the non-vlan-specific configuration to trump the vlan-specific configuration. Essentially, it will work properly if you have a phone and a workstation, but it will allow two of either of those if no devices on the other vlan are present. It seems this would be by design, because at some point the switch will need to determine which confuration will take precedence, since they are conflicting.

My question is why you need this configuration. The vlan specific configuration is in use if you want to limit on an individual vlan basis and not on a port basis. It seems to me you would not want both configurations present on the same port.

From what I gather, you want the following config:

switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security mac-address sticky

This will limit to two devices on a port as long as you have one phone and one computer, and will take the first mac address it sees for each one and place it in the configuration.

Regards,

Mike

daniel.asplund · ‎03-21-2014

I have tried that config as well using only:

switchport port-security maximum 1 vlan access switchport port-security maximum 1 vlan voice

but that unfortunately allows only 1 mac address and not 2. Leaving out the non-vlan maximum config line seems to imply the default maximum of 1 mac address. I even changed the two lines above to allow 2 or even 10 addresses each, but still I had a limit of 1 address... At least that is what I have seen on my 4506 hardware running 12.2(54). Will try to run some tests next week on different hardware and IOS versions.

Thanks again for taking your time answering!

Kind regards, Daniel

port-security maximum issue