In the docs it indicates that you cannot have port security on a trunk port. I was wondering if this was absolutley true as I was wanting to secure some of our ip phone switch ports but alas they are trunk ports. I would appreciate any help.
I believe that's not true. You can enable port security on a trunk.
See the quote from CCO below pertaining to access/voice vlan configured on a switchport.
"When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two secure addresses. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. You cannot configure port security on a per-VLAN basis"
You didn't mention what type of switch you are using. Here's another URL for configuring port security on 6500 switches.
Pls. rate the post if it helped.
Thank you for the reply, I'm using a 3550 switch, When I try to enable port security, the command is rejected "you cannot enable port security on a trunk" is the rejection message, but yes, I am trying to enable security on a switch that has both data and voice vlans configured. If I am using the wrong command, "int fastethernet0/5, port-security ...." have any suggestions?
What type of IP phones are they? If they are Cisco, what model? On a 3550, you can use the "switchport voice vlan" command along with the "switchport access vlan" command to separate the voice and data traffic without having to use a trunk. This would, however, depend on the phone you are using. Then, since the port would be an access port, you could apply port-security to it.
Thanks for the reply. They are Cisco 7970 phones, so you are saying that by using the "switchport voice vlan" it automatically "tells" the switch to trunk voice and data seperately? Interesting. Does it work on the 7970?
When you connect IP Phones to switch and configure voice vlan command it internally forms a trunk so no special trunk configuration in required.
Have a look at this link
Cisco does not allow you to configure port security in trunk ports cause trunk ports may learn many mac addresses which will defeat the use of port security feature so when you connect ip phones and want port security feature so not configuer ports as trunk and instaed configure as voice vlan for voice traffic and also configuer the same port with access vlan for data traffic.
However there was some issue noted with 7970 ip phones where Phone does not stream out PC Port when Voice VLAN access enabled which was noted in bug CSCec75806 but is been resolved now.
HTH, if yes please rate the post.
good thing avaya phones do not require an explicit dot1q trunk. I have thousands of avaya phones running on my cisco network with aux/voice vlan configurations:
description to IP phone and PC
switchport access vlan 2
switchport voice vlan 3
mls qos vlan-based
no cdp enable
Sorry to bring up an old thread. I am currently trying to resolve the same problem. At one of our offices I have an HP 2950-48 (12.1(22)EA8a)
We recently installed a mitel 3300 phone system with Mitel 5330 IP Phones. I would like to setup port security but was running into the same message that I could not enable port security on a trunk port.
Reading this thread I changed the port configuration accordingly:
switchport mode access
switchport voice vlan 10
switchport port-security maximum 2
switchport port-security mac-address sticky
What is confusing me is that when I enter "Switchport mode access vlan 1" it does not appear in the config, instead it just shows "Switchport mode access." Does this matter? Should this still work?
Any thoughts or suggestions are greatly appreciated.
By default, all the ports are in the vlan 1 thats why its not shown in the configuration. even you
configure it for vlan 1. if you configure the port for another vlan, it will show up in the config
guys try this config will be useful using tunk port with port security
switchport mode trunk
switchport port-security mximum 2
switchport port-security mximum 1 vlan 5
switchport port-security mximum 1 vlan 1
lets say you have trunk with vlan 1 nad 5 this config will make the max mac address to 2 and 1 per valn as well
if helpful Rate