[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1381
  • Last Modified:

Switchport port-security issue

Hi All.

We have a CAT2960 LAN-LITE.  Each port is configure for access and voice vlan.  All our computers are directly connected through IP phones, then the IP Phones are connected through the switch.

I configure the following on a CAT2960 with IOS 12.2(50)SE2 at the interface level

 switchport access vlan 10
 switchport mode access
 switchport voice vlan 11
 switchport port-security maximum 2
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security violation restrict

Based on what I read my understanding is the following :

Each port can have two mac-address connected to it, but it must only be one IP Phone, or one computer or one computer and one IP Phone at the same time.  It cannot be 2 IP Phone or 2 Computers, Am I  right ?

If so, I have the following issue :
When an IP Phone is connected to switch port, the switch tries to add the IP Phone to the access vlan twice.  Then the switch add the IP Phone to the right voice vlan.  

But If the Computer connected through the IP Phone has been already added to the access vlan when the IP Phone boots up, the switch will generate Violation for the first 2 attempt of adding the IP Phone to the wrong vlan.

05:33:50: PSECURE: Read:2004, Write:2005
05:33:50: PSECURE: swidb = FastEthernet0/11 mac_addr = [Computer MAC-ADDR] vlanid = 10
05:33:50: PSECURE: Adding [Computer MAC-ADDR] as dynamic on port Fa0/11 for vlan 10

05:34:11: PSECURE: Security violation, TrapCount:1
05:34:12: PSECURE: Read:2014, Write:2015
05:34:12: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:12: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:12: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:12: PSECURE: Security violation, TrapCount:2
05:34:13: PSECURE: Read:2015, Write:2016
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 10
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 10
05:34:13: PSECURE: Violation/duplicate detected upon receiving [IP Phone MAC-ADDR] on vlan 10: port_num_addrs 1 port_max_addrs 2 vlan_addr_ct 1: vlan_addr_max 1 total_addrs 0: max_total_addrs 8192
05:34:13: PSECURE: Security violation, TrapCount:3
05:34:13: PSECURE: Read:2016, Write:2017
05:34:13: PSECURE: swidb = FastEthernet0/11 mac_addr = [IP Phone MAC-ADDR] vlanid = 11
05:34:13: PSECURE: Adding [IP Phone MAC-ADDR] as dynamic on port Fa0/11 for vlan 11
05:34:13: PSECURE: Adding address vlan 11 [IP Phone MAC-ADDR] to port-security
05:34:13: PSECURE: Adding addresses to port-security sub block

Am I missing something or maybe the IOS is buged ?

Thanks you very much for your help.

  • 9
  • 9
2 Solutions
not sure if this works on lan-lite, but we do something kind of similar with some video conferencing equipment. it's not dynamic as you seem to be trying to do, but it works if you know all your mac addresses.

set up an access list with your mac IDs, then apply to your ports as you would with IP filtering

mac access-list extended videoconf
 permit host xxxx.xxxx.xxxx any
 permit host yyyy.yyyy.yyyy any

interface FastEthernet0/7
 description Trtmt Room Vconf
 mac access-group videoconf in
granted we know we're dealing with the same four devices that float and we apply that same list to multiple ports on the same switch
AdminDetailAuthor Commented:
The problem is that I cannot know all the MAC address on our network.  We'll have about 100 customers with that kind of setup.  

The only thing we want to do with that is to prevent someone from installing decentralized switches and also prevent someone from installing other switch then ours.

Is this the right feature to do that ?
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

i'd say you've got the right idea then. it kind of looks like you're dealing with a timeout issue. when a device reboots it's trying to add to the list but you're getting duplicate errors. perhaps try setting the age time.
AdminDetailAuthor Commented:
The aging time doesn't change anythings unfortunately.

But the feature works.  It just generate a security violation for nothing.  Considering that I'll receive a SNMP trap each time, it bothers me.

I'm out for the night.  I'll look at this again tomorrow.

Thank for now :)
AdminDetailAuthor Commented:
I had confirmation that I should use the following commands

maximum 3
maximum 2 access
maximum 1 voice.

Considering that the rogue switch should have taken one of the 2 MAC allowed for the "access".

But now my problem is my rogue switch doesn't take a MAC in my secure-port.

Is it normal ?

that makes sense. the ip phone is in itself a switch of sorts.

what are you using for a rogue switch? i assume a desktop switch like a dlink or something? i assume you're testing behavior with an "rogue" device...
AdminDetailAuthor Commented:
It's a Cisco Small business 5 ports switch.

I also generated traffic with a PC.  But there is no MAC address for the switch.

Is there a feature to enable that ?
interesting.. how many host devices are you able to run?
curious if it's just recognizing the switch as a bridge and allowing it but will filter on host macs
AdminDetailAuthor Commented:
What do you mean by : "How many host are you able to run" ?

I have two nodes connected to my switch yet.  

By the way, I also try a d-link switch but it doesn't work.
i'm trying to piece together what you've got connected.
in my mind i'm seeing it like this:

secured port > 5port switch > IP phone and PC

from what you've said i'm gathering that the secured port is picking up the macs for the phone and the pc but not the switch. my hunch was that it was ignoring the switch in favor of the connected devices (the phone and the PC)
what i was asking is what happens if you were to connect another PC/"malicious host" to the 5 port switch in this scenario, if it would be allowed access to the network by the secured port
AdminDetailAuthor Commented:
Ok, I see :), Sorry

Yes, the second PC connected to the 5 ports switch is permitted.
must admit then, i'm stumped.
should be working as advertised. hate to tell you to cal TAC, but that's actually how we managed to come up with the access-list solution i outlined earlier. do you have active support on your device?
AdminDetailAuthor Commented:
Yes but sometimes it's better with there forums :).  I say something weird.

The IP Phones are managed by a UC540 connected to my router.

Here's where my router is : Router > Switch LAN-LITE (secured port) > 5port switch > IP phone and PC
Event if no PC is connected to my network, I see my led blink very fast. (around 50 packet per second on all the connected interface of all my device).

Is the IP phone protocol can cause that fast blink?
Would it be possible that this kind of traffic (or storm) can cause the switch's MAC to not be considered by my main switch ?
AdminDetailAuthor Commented:
I put a span session and snif to see what it's going on, and I received many cisco-sccp packet.  I think it's normal and usefull to let the sccp cisco protocol running.

yeah that's probably okay. my knee jerk answer would have been arp broadcasts but since you're in a bench situation that's not likely.
AdminDetailAuthor Commented:
I heard that since layer 2 switches doesn't send themself packet on network, them won't come up in the MAC address table of other layer 2 devices on a network.

I thinks it's my answer :(
yeah, that's the fancy way of saying what i was thinking. the switch is just a bridge and thus won't originate any packets, that's why i was wondering how many hosts you could connect. your port security should still work with the max address limit set

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now