[c-nsp] switchport port-security question

barney gumbo barney.gumbo at gmail.com
Thu Jun 29 08:59:13 EDT 2006 

FWIW the following config worked, for 1 phone with 1 PC connected.  Cisco
docs recommend 2 MAC addrs per phone, apparently the functional switch
inside the phone is assigned it's own MAC addr.

int fa x/0/z
 switchport port-security maximum 3
 switchport mode access
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 2 vlan voice
 switchport port-security


On 6/24/06, Pepa Verich <Josef.Verich at cesnet.cz> wrote:
>
> Hi.
>
> You can try commands:
>
>
> switchport port-security aging time 1
> switchport port-security aging type inactivity
>
>
> If are used command "switchport port-security" mac-addresses in
> mac-address-table are STATIC. Switch doesn't learn the same mac-address
> which have on other port. You have to clear mac-addres from
> mac-address-table before you connect PC on other port.
>
>                Pepa
>
>
> barney gumbo napsal(a):
> > I have a 3750 stack with multiple cisco voip phones connected.  We are
> using
> > the voice vlan and access vlan for each port.
> >
> > I attempted to configure port-security and got a warning message stating
> > that the switchport must be static and not dynamic.  So I add the
> switchport
> > mode access command and now the switch doesn't learn the MAC address for
> the
> > PC connected through the phone.   I used this in combination with the
> > switchport port-security max 4 command.
> >
> > As soon as I take out switchport port-security and switchport mode
> access,
> > the switchport learns a MAC on that interface for the phone and the PC
> > connected to the phone.
> >
> > To me, this means the PC and anything else connected through the phone
> will
> > stop working.  According to the documentation, this switch interface
> should
> > support port-security when it's in access mode, which appears to be the
> > case, but I'm concerned about the switch not learning the MAC of host
> > connected through the phone.
> >
> > Any thoughts?  The output below shows the problem occurring.
> >
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >    9    0017.9551.f5bc    DYNAMIC     Fa3/0/13
> >   14    0017.9551.f5bc    DYNAMIC     Fa3/0/13
> > Total Mac Addresses for this criterion: 2
> > 3750_Stack1#config t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > 3750_Stack1(config)#int fa3/0/13
> > 3750_Stack1(config-if)#switchport mode access
> > 3750_Stack1(config-if)#switchport port-security
> > 3750_Stack1(config-if)#switchport port-security max 4
> > 3750_Stack1(config-if)#exit
> > 3750_Stack1(config)#exit
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >   14    0017.9551.f5bc    STATIC      Fa3/0/13
> > Total Mac Addresses for this criterion: 1
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >   14    0017.9551.f5bc    STATIC      Fa3/0/13
> > Total Mac Addresses for this criterion: 1
> > 3750_Stack1#
> >
> > 3750_Stack1#config t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > 3750_Stack1(config)#int fa3/0/13
> > 3750_Stack1(config-if)#shut
> > 3750_Stack1(config-if)#exit
> > 3750_Stack1(config)#exit
> > 3750_Stack1#sho run int fa3/0/13
> > Building configuration...
> >
> > Current configuration : 369 bytes
> > !
> > interface FastEthernet3/0/13
> >  switchport access vlan 9
> >  switchport mode access
> >  switchport voice vlan 14
> >  switchport port-security maximum 4
> >  switchport port-security
> >  shutdown
> >  srr-queue bandwidth share 10 10 60 20
> >  srr-queue bandwidth shape  10  0  0  0
> >  mls qos trust device cisco-phone
> >  mls qos trust cos
> >  auto qos voip cisco-phone
> >  spanning-tree portfast
> > end
> >
> > 3750_Stack1#
> > 3750_Stack1#config t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > 3750_Stack1(config)#int fa3/0/13
> > 3750_Stack1(config-if)#no shut
> > 3750_Stack1(config-if)#exit
> > 3750_Stack1(config)#exit
> > 3750_Stack1#
> > 3750_Stack1#
> > 3750_Stack1#sho mac-add
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >   14    0017.9551.f5bc    STATIC      Fa3/0/13
> > Total Mac Addresses for this criterion: 1
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >   14    0017.9551.f5bc    STATIC      Fa3/0/13
> > Total Mac Addresses for this criterion: 1
> > 3750_Stack1#
> >
> > 3750_Stack1#config t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > 3750_Stack1(config)#int fa3/0/13
> > 3750_Stack1(config-if)#no switchport mode access
> > Command rejected: Conflict with Port Security
> > 3750_Stack1(config-if)#no switchport port-sec
> > 3750_Stack1(config-if)#no switchport mode access
> > 3750_Stack1(config-if)#exit
> > 3750_Stack1(config)#exit
> > 3750_Stack1#sho mac-add
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> > 3750_Stack1#sho mac-address-table int fa3/0/13
> >           Mac Address Table
> > -------------------------------------------
> >
> > Vlan    Mac Address       Type        Ports
> > ----    -----------       --------    -----
> >    9    0017.9551.f5bc    DYNAMIC     Fa3/0/13
> >   14    0017.9551.f5bc    DYNAMIC     Fa3/0/13
> > Total Mac Addresses for this criterion: 2
> > 3750_Stack1#
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>

More information about the cisco-nsp mailing list