Re: port security question from Rob Clav on 2011-07-21 (Ccielab archives 07/2011)

From: Rob Clav <robclav_at_gmail.com>
Date: Thu, 21 Jul 2011 12:23:37 +0200

Hi Rob,
You are missing you are configuring this feature at Voice vlan. So a new
rules are played here.
Please note, this is the expected behaviour.
HTH,
Robclav

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25sg/configura
tion/guide/port_sec.pdf

When you enable port security on an interface that is also configured with
a voice VLAN, you must set the maximum allowed secure addresses on the port
to two plus the maximum number of secure addresses allowed on the access
VLAN. When the port is connected to a Cisco IP phone, the IP phone requires
up to two MAC addresses. The IP phone address is learned on the voice VLAN
and might also be learned on the access VLAN. Connecting a PC to the IP
phone requires additional MAC addresses.

2011/7/21 me you <anunda19_at_gmail.com>

> I am setting up port security for one computer on a port. Simple. But I am
> having problems with the only port that has both a VIOP and computer. The
> MAC address on the phone is showing on both VLAN. I have included all the
> info. I am just overlooking something stupid. What is it?
>
> Thanks
> Rob
>
>
> sh mac add | i 0/19
> 2 0030.94c2.92b0 DYNAMIC Fa0/19
> 2 bcae.c52f.f4c5 DYNAMIC Fa0/19
> 3 0030.94c2.92b0 DYNAMIC Fa0/19
>
>
>
> interface FastEthernet0/19
> description Pete
> switchport access vlan 2
> switchport mode access
> switchport voice vlan 3
> switchport port-security
> switchport port-security maximum 2
> switchport port-security violation restrict
> switchport port-security mac-address 0030.94c2.92b0
> switchport port-security mac-address bcae.c52f.f4c5
> load-interval 30
> speed 100
> duplex full
> spanning-tree portfast
>
> Error
> Jul 21 09:55:46.289: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
> occurred, caused by MAC address 0030.94c2.92b0 on port FastEthernet0/19.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Robert Clavero
CCIE RS/wr, CCNP, CCSP, CCSE NGX, SCSA 9, WLFES, BNP y JNCIA WX
blog:http://robclavbcn.blogspot.com
 web:http://www.kubsolutions.com
Blogs and organic groups at http://www.ccie.net

Received on Thu Jul 21 2011 - 12:23:37 ART

This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART