Switchport port-security issue
Hi All.
We have a CAT2960 LAN-LITE. Each port is configure for access and voice vlan. All our computers are directly connected through IP phones, then the IP Phones are connected through the switch.
I configure the following on a CAT2960 with IOS 12.2(50)SE2 at the interface level
switchport access vlan 10
switchport mode access
switchport voice vlan 11
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
Based on what I read my understanding is the following :
Each port can have two mac-address connected to it, but it must only be one IP Phone, or one computer or one computer and one IP Phone at the same time. It cannot be 2 IP Phone or 2 Computers, Am I right ?
If so, I have the following issue :
When an IP Phone is connected to switch port, the switch tries to add the IP Phone to the access vlan twice. Then the switch add the IP Phone to the right voice vlan.
But If the Computer connected through the IP Phone has been already added to the access vlan when the IP Phone boots up, the switch will generate Violation for the first 2 attempt of adding the IP Phone to the wrong vlan.
ex.:
05:33:50: PSECURE: Read:2004, Write:2005
05:33:50: PSECURE: swidb = FastEthernet0/11 mac_addr = [Computer MAC-ADDR] vlanid = 10
05:33:50: PSECURE: Adding [Computer MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:11: PSECURE: Security violation, TrapCount:1
05:34:12: PSECURE: Read:2014, Write:2015
05:34:12: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:12: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:12: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:12: PSECURE: Security violation, TrapCount:2
05:34:13: PSECURE: Read:2015, Write:2016
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:13: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:13: PSECURE: Security violation, TrapCount:3
05:34:13: PSECURE: Read:2016, Write:2017
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 11
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 11
05:34:13: PSECURE: Adding address vlan 11 [IP Phone MAC-ADDR] to port-security
05:34:13: PSECURE: Adding addresses to port-security sub block
Am I missing something or maybe the IOS is buged ?
Thanks you very much for your help.
We have a CAT2960 LAN-LITE. Each port is configure for access and voice vlan. All our computers are directly connected through IP phones, then the IP Phones are connected through the switch.
I configure the following on a CAT2960 with IOS 12.2(50)SE2 at the interface level
switchport access vlan 10
switchport mode access
switchport voice vlan 11
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
Based on what I read my understanding is the following :
Each port can have two mac-address connected to it, but it must only be one IP Phone, or one computer or one computer and one IP Phone at the same time. It cannot be 2 IP Phone or 2 Computers, Am I right ?
If so, I have the following issue :
When an IP Phone is connected to switch port, the switch tries to add the IP Phone to the access vlan twice. Then the switch add the IP Phone to the right voice vlan.
But If the Computer connected through the IP Phone has been already added to the access vlan when the IP Phone boots up, the switch will generate Violation for the first 2 attempt of adding the IP Phone to the wrong vlan.
ex.:
05:33:50: PSECURE: Read:2004, Write:2005
05:33:50: PSECURE: swidb = FastEthernet0/11 mac_addr = [Computer MAC-ADDR] vlanid = 10
05:33:50: PSECURE: Adding [Computer MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:11: PSECURE: Security violation, TrapCount:1
05:34:12: PSECURE: Read:2014, Write:2015
05:34:12: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:12: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:12: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:12: PSECURE: Security violation, TrapCount:2
05:34:13: PSECURE: Read:2015, Write:2016
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:13: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:13: PSECURE: Security violation, TrapCount:3
05:34:13: PSECURE: Read:2016, Write:2017
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 11
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 11
05:34:13: PSECURE: Adding address vlan 11 [IP Phone MAC-ADDR] to port-security
05:34:13: PSECURE: Adding addresses to port-security sub block
Am I missing something or maybe the IOS is buged ?
Thanks you very much for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dangle79
granted we know we're dealing with the same four devices that float and we apply that same list to multiple ports on the same switch
ASKER
The problem is that I cannot know all the MAC address on our network. We'll have about 100 customers with that kind of setup.
The only thing we want to do with that is to prevent someone from installing decentralized switches and also prevent someone from installing other switch then ours.
Is this the right feature to do that ?
The only thing we want to do with that is to prevent someone from installing decentralized switches and also prevent someone from installing other switch then ours.
Is this the right feature to do that ?
i'd say you've got the right idea then. it kind of looks like you're dealing with a timeout issue. when a device reboots it's trying to add to the list but you're getting duplicate errors. perhaps try setting the age time.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/6.x/configuration/guide/sec_port.html#wp1019982
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/6.x/configuration/guide/sec_port.html#wp1019982
ASKER
The aging time doesn't change anythings unfortunately.
But the feature works. It just generate a security violation for nothing. Considering that I'll receive a SNMP trap each time, it bothers me.
I'm out for the night. I'll look at this again tomorrow.
Thank for now :)
But the feature works. It just generate a security violation for nothing. Considering that I'll receive a SNMP trap each time, it bothers me.
I'm out for the night. I'll look at this again tomorrow.
Thank for now :)
ASKER
I had confirmation that I should use the following commands
maximum 3
maximum 2 access
maximum 1 voice.
Considering that the rogue switch should have taken one of the 2 MAC allowed for the "access".
But now my problem is my rogue switch doesn't take a MAC in my secure-port.
Is it normal ?
Thanks
maximum 3
maximum 2 access
maximum 1 voice.
Considering that the rogue switch should have taken one of the 2 MAC allowed for the "access".
But now my problem is my rogue switch doesn't take a MAC in my secure-port.
Is it normal ?
Thanks
that makes sense. the ip phone is in itself a switch of sorts.
what are you using for a rogue switch? i assume a desktop switch like a dlink or something? i assume you're testing behavior with an "rogue" device...
what are you using for a rogue switch? i assume a desktop switch like a dlink or something? i assume you're testing behavior with an "rogue" device...
ASKER
It's a Cisco Small business 5 ports switch.
I also generated traffic with a PC. But there is no MAC address for the switch.
Is there a feature to enable that ?
I also generated traffic with a PC. But there is no MAC address for the switch.
Is there a feature to enable that ?
interesting.. how many host devices are you able to run?
curious if it's just recognizing the switch as a bridge and allowing it but will filter on host macs
curious if it's just recognizing the switch as a bridge and allowing it but will filter on host macs
ASKER
What do you mean by : "How many host are you able to run" ?
I have two nodes connected to my switch yet.
By the way, I also try a d-link switch but it doesn't work.
I have two nodes connected to my switch yet.
By the way, I also try a d-link switch but it doesn't work.
i'm trying to piece together what you've got connected.
in my mind i'm seeing it like this:
secured port > 5port switch > IP phone and PC
from what you've said i'm gathering that the secured port is picking up the macs for the phone and the pc but not the switch. my hunch was that it was ignoring the switch in favor of the connected devices (the phone and the PC)
what i was asking is what happens if you were to connect another PC/"malicious host" to the 5 port switch in this scenario, if it would be allowed access to the network by the secured port
in my mind i'm seeing it like this:
secured port > 5port switch > IP phone and PC
from what you've said i'm gathering that the secured port is picking up the macs for the phone and the pc but not the switch. my hunch was that it was ignoring the switch in favor of the connected devices (the phone and the PC)
what i was asking is what happens if you were to connect another PC/"malicious host" to the 5 port switch in this scenario, if it would be allowed access to the network by the secured port
ASKER
Ok, I see :), Sorry
Yes, the second PC connected to the 5 ports switch is permitted.
Yes, the second PC connected to the 5 ports switch is permitted.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes but sometimes it's better with there forums :). I say something weird.
The IP Phones are managed by a UC540 connected to my router.
Here's where my router is : Router > Switch LAN-LITE (secured port) > 5port switch > IP phone and PC
Event if no PC is connected to my network, I see my led blink very fast. (around 50 packet per second on all the connected interface of all my device).
Is the IP phone protocol can cause that fast blink?
Would it be possible that this kind of traffic (or storm) can cause the switch's MAC to not be considered by my main switch ?
The IP Phones are managed by a UC540 connected to my router.
Here's where my router is : Router > Switch LAN-LITE (secured port) > 5port switch > IP phone and PC
Event if no PC is connected to my network, I see my led blink very fast. (around 50 packet per second on all the connected interface of all my device).
Is the IP phone protocol can cause that fast blink?
Would it be possible that this kind of traffic (or storm) can cause the switch's MAC to not be considered by my main switch ?
ASKER
I put a span session and snif to see what it's going on, and I received many cisco-sccp packet. I think it's normal and usefull to let the sccp cisco protocol running.
yeah that's probably okay. my knee jerk answer would have been arp broadcasts but since you're in a bench situation that's not likely.
ASKER
I heard that since layer 2 switches doesn't send themself packet on network, them won't come up in the MAC address table of other layer 2 devices on a network.
I thinks it's my answer :(
I thinks it's my answer :(
yeah, that's the fancy way of saying what i was thinking. the switch is just a bridge and thus won't originate any packets, that's why i was wondering how many hosts you could connect. your port security should still work with the max address limit set