Re: port-security and IP Phones

Peter,
thanks for the response. I checked out the MAC address table
timeouts and this is set to 300 seconds the default but when I remove
the PC from the port on the IP phone it does not clear from the table
after 5 mins. In fact the MAC address was still known on that port
the following day.

The solution is to enable aging timeouts within the port-security
config on each interface with the commands below.

switchport port-security aging time 1
switchport port-security aging type inactivity

So the port-security config on the switch reads like this now

switchport port-security
switchport port-security maximum 3
switchport port-security aging time 1
switchport port-security aging type inactivity

This results in the mac address aging out of both the mac-address-
table and the port-security table after 5 mins of activity.
This solves the problem of the moving a PC from one port to another on
the same switch.

I've spotted reference to this problem on the cisco web site here

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008082a26d.html#wp1127231


"If a secure MAC address is secured on a port, that MAC address is not
allowed to enter on any other port off that VLAN. If it does, the
packet is dropped unnoticed in the hardware. Other than through the
interface or port counters, you do not receive a log message
reflecting this fact. Be aware that this condition does not trigger a
violation. Dropping these packets in the hardware is more efficient
and can be done without putting additional load on the CPU."

FWS in Dublin



Peter wrote:
Greetings,

On Fri, 13 Jul 2007 16:02:44 UTC, firewallstarter@xxxxxxxxxxx wrote:

I've seen a problem with the port-security feature on switches when
you connect through an IP phone.

The problem arises when a data device, connected through an IP phone,
is moved from one port to another on the same switch. When the data
device is attached to the new port it has no connectivity.

You need to modify the MAC Address table Timeout value for any port
enabled for IP Telephony to a shorter value to allow PC mobility
between these ports. On our switches (3560's) we use 2 minutes and
find that works well enough (except for the really inmpatient people
that only wait 5 seconds before screaming......;-)).

Cheers.................pk.


--
Peter from Auckland.

.

Relevant Pages

  • Re: Need Feedback on a Test Question
    ... switchport port-security maximum 2 ... B- The host will be allowed to connect. ... Two addresses are configured for the port, so it is not a simple ... case of shutting down the port as soon as it sees an additional MAC ...
    (comp.dcom.sys.cisco)
  • Re: Need Feedback on a Test Question
    ... switchport port-security maximum 2. ... it will allow the host to connect. ... Two addresses are configured for the port, so it is not a simple ... case of shutting down the port as soon as it sees an additional MAC ...
    (comp.dcom.sys.cisco)
  • Re: Need Feedback on a Test Question
    ... switchport port-security maximum 2. ... it will allow the host to connect. ... Two addresses are configured for the port, so it is not a simple ... case of shutting down the port as soon as it sees an additional MAC ...
    (comp.dcom.sys.cisco)
  • Re: Need Feedback on a Test Question
    ... switchport port-security maximum 2 ... B- The host will be allowed to connect. ... Two addresses are configured for the port, so it is not a simple ... case of shutting down the port as soon as it sees an additional MAC ...
    (comp.dcom.sys.cisco)
  • Re: Wireless Network in Public Places Options
    ... and implement a static bridging table. ... >> allows traffic to one other ethernet port, ... source MAC addresses. ... Packets with no destination addresses such as broadcasts and DHCP ...
    (microsoft.public.win2000.networking)