Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Security on 3560??!

Hi, i'm running 12.2(50) on a 3560-48PS and want only the phone and a single pc attached to the port (which i have for this example) but i cannot get this to work.

I currently have:

interface FastEthernet0/10

switchport trunk encapsulation dot1q

switchport mode access

switchport voice vlan 141

switchport port-security maximum 3 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

but it still locks out seconds after i activate the port. I originally tried maximum 1 vlan access but that obviously didn't work (i've heard that some switches need 3 macs on the access side even though you end up with 1).

Ideas?

JM

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Port Security on 3560??!

I don't think so, removing that command will default the value to 1 MAC address.

interface FastEthernet0/1

switchport access vlan 18

switchport mode access

switchport voice vlan 7

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

end

Rack1SW1#sh port-secu int f0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000e.d780.3640:18

Security Violation Count : 0

I believe the way it works is: you set a global maximum first and then allocate to the data and voice vlan from that maximum value.

Without that command, as you note above, your max is 1 for the whole switchport.

12 REPLIES
Hall of Fame Super Bronze

Re: Port Security on 3560??!

When the phone first connect to the network, its request goes to the data vlan hence consuming a MAC address allocation. Once the phone obtains the necessary information from the DHCP server and TFTP server, it moves itself to the voice vlan.

Your configuration above should work, with that said, I'm assuming you have your data vlan on Vlan 1? Not recommended to use Vlan 1 for user traffic. You can also remove the trunk line from the config as you are using access vlan with voice vlan as auxiliary.

HTH,

__

Edison.

New Member

Re: Port Security on 3560??!

Thanks, i thought it should work, the problem is i'm getting

Jul 20 09:59:00.980 CDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred

, caused by MAC address 0013.7298.1d0c on port FastEthernet0/10.

This is the MAC of the PC attached to the phone.

Ideas on what to look at next?

JM

(agreed, vlan 1 is not optimal, but it's too much of a PITA to change it for this site at the moment).

Hall of Fame Super Bronze

Re: Port Security on 3560??!

'sh port-security int f0/10' will tell you how many addresses have been allocated.

if the old mac-address aren't timing out on time, you should adjust the timers.

New Member

Re: Port Security on 3560??!

Interesting, I think we're getting somewhere. If i do not have the statement "switchport port-security maximum 2" added in addition to my vlan specifics, it does not recognize more than 1 address.

interface FastEthernet0/10

switchport trunk encapsulation dot1q

switchport mode access

switchport voice vlan 141

switchport port-security maximum 2

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

If i take that out, then i go back to this:

Civic41#sho port-security interface f0/10

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0013.7298.1d0c:1

Security Violation Count : 1

bug?

Hall of Fame Super Bronze

Re: Port Security on 3560??!

Is it happening in all switchports?

I copied and paste your config on a switch and just made changes on the access vlan and voice vlan as they were created on the switch:

Rack1SW1(config-if)#do show run int f0/1

Building configuration...

Current configuration : 585 bytes

!

interface FastEthernet0/1

switchport access vlan 18

switchport mode access

switchport voice vlan 7

switchport port-security maximum 2

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

end

Rack1SW1(config-if)#do show port-sec int f0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 2

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000e.d780.3640:18

Security Violation Count : 0

BTW, you may want to change the maximum to 3 based on what I explained before.

Config should look like this:

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

New Member

Re: Port Security on 3560??!

Right, but does the base "switchport port-security maximum 3" even need to be there if the other two statements are there? i thought that statement was an older option before specifying vlans became an option?

Hall of Fame Super Bronze

Re: Port Security on 3560??!

I don't think so, removing that command will default the value to 1 MAC address.

interface FastEthernet0/1

switchport access vlan 18

switchport mode access

switchport voice vlan 7

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

storm-control broadcast level 20.00

storm-control multicast level 50.00

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

end

Rack1SW1#sh port-secu int f0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 2 mins

Aging Type : Inactivity

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 000e.d780.3640:18

Security Violation Count : 0

I believe the way it works is: you set a global maximum first and then allocate to the data and voice vlan from that maximum value.

Without that command, as you note above, your max is 1 for the whole switchport.

VIP Super Bronze

Re: Port Security on 3560??!

Edison,

I have 2 3560s that are running IOS 12.2(50).

These two commands are not supported:

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

Here is the output

switch-1(config-if)#do sh run inter gi0/47

Building configuration...

Current configuration : 73 bytes

!

interface GigabitEthernet0/47

switchport port-security maximum 3

end

switch-1(config-if)#switchport port-security maximum 2 ?

if I try switchport port-security maximum 2, it will replace 3

Thanks,

Reza

Hall of Fame Super Bronze

Re: Port Security on 3560??!

1) You need to statically set to port to access 'switchport mode access'

2) You need to enter 'switchport port-security'

3) Then you can enter the other commands.

New Member

Re: Port Security on 3560??!

What is interesting is that with the switchport port-security maximum 2 set the system works with both my devices instead of setting it to maximum 3. So apparently the switch is smart enough not to look at the CDP packet on the phone's initial bootup and count it. Last i heard from Cisco it was the 3550s that still did that where you had to set it to 3.

sounds like my problem was not having the global maximum in there. I guess as long as it works :)

VIP Super Bronze

Re: Port Security on 3560??!

Edison,

Thanks,

I got it working on 3560s, but when I try the same commands on a 6500-E running 12.2(33)SXI, it does not like the commands at all.

Reza

Hall of Fame Super Bronze

Re: Port Security on 3560??!

By default, 6500 ports are L3 switchports and you must change it to L2 by typing 'switchport'.

Without seeing the config, it's hard to understand where the command failed.

Please take a moment and read the documentation:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html

Please remember to rate helpful posts

498
Views
5
Helpful
12
Replies
CreatePlease to create content