Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > port-security and IP Phones

Reply
Thread Tools

port-security and IP Phones

 
 
firewallstarter@hotmail.com
Guest
Posts: n/a
 
      07-13-2007
I've seen a problem with the port-security feature on switches when
you connect through an IP phone.

The problem arises when a data device, connected through an IP phone,
is moved from one port to another on the same switch. When the data
device is attached to the new port it has no connectivity.

The cause of the problem is the fact that the phone keeps the switch
port up even though you may plug out a device from the data port on
the phone. This means that the switch port-security entries are not
cleared. The switch sees that the mac address of the data device is
attached to the old port so it does not open on the new port until
it's cleared from the old one.

To clear the port-security entries you can disconnect the IP phone,
causing the port to drop or you can run the following command

clear port-security dynamic address A.B.C (where A.B.C is the mac
address of the data device)

This results in problems with laptop mobility on an office floor.

I've seen this problem on a Cisco 4506 running cat4500-ipbasek9-mz.
122-37.SG.bin

Has anybody else seen this and does anybody know of a solution?

As always your help is appreciated.
FWS

 
Reply With Quote
 
 
 
 
Peter
Guest
Posts: n/a
 
      07-13-2007
Greetings,

On Fri, 13 Jul 2007 16:02:44 UTC, http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> I've seen a problem with the port-security feature on switches when
> you connect through an IP phone.
>
> The problem arises when a data device, connected through an IP phone,
> is moved from one port to another on the same switch. When the data
> device is attached to the new port it has no connectivity.


You need to modify the MAC Address table Timeout value for any port
enabled for IP Telephony to a shorter value to allow PC mobility
between these ports. On our switches (3560's) we use 2 minutes and
find that works well enough (except for the really inmpatient people
that only wait 5 seconds before screaming......).

Cheers.................pk.


--
Peter from Auckland.
 
Reply With Quote
 
 
 
 
firewallstarter@hotmail.com
Guest
Posts: n/a
 
      07-20-2007
Peter,
thanks for the response. I checked out the MAC address table
timeouts and this is set to 300 seconds the default but when I remove
the PC from the port on the IP phone it does not clear from the table
after 5 mins. In fact the MAC address was still known on that port
the following day.

The solution is to enable aging timeouts within the port-security
config on each interface with the commands below.

switchport port-security aging time 1
switchport port-security aging type inactivity

So the port-security config on the switch reads like this now

switchport port-security
switchport port-security maximum 3
switchport port-security aging time 1
switchport port-security aging type inactivity

This results in the mac address aging out of both the mac-address-
table and the port-security table after 5 mins of activity.
This solves the problem of the moving a PC from one port to another on
the same switch.

I've spotted reference to this problem on the cisco web site here

http://www.cisco.com/en/US/products/...html#wp1127231


"If a secure MAC address is secured on a port, that MAC address is not
allowed to enter on any other port off that VLAN. If it does, the
packet is dropped unnoticed in the hardware. Other than through the
interface or port counters, you do not receive a log message
reflecting this fact. Be aware that this condition does not trigger a
violation. Dropping these packets in the hardware is more efficient
and can be done without putting additional load on the CPU."

FWS in Dublin



Peter wrote:
> Greetings,
>
> On Fri, 13 Jul 2007 16:02:44 UTC, (E-Mail Removed) wrote:
>
> > I've seen a problem with the port-security feature on switches when
> > you connect through an IP phone.
> >
> > The problem arises when a data device, connected through an IP phone,
> > is moved from one port to another on the same switch. When the data
> > device is attached to the new port it has no connectivity.

>
> You need to modify the MAC Address table Timeout value for any port
> enabled for IP Telephony to a shorter value to allow PC mobility
> between these ports. On our switches (3560's) we use 2 minutes and
> find that works well enough (except for the really inmpatient people
> that only wait 5 seconds before screaming......).
>
> Cheers.................pk.
>
>
> --
> Peter from Auckland.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VoIP phones vs. VoIP WiFi phones vs. 'regular' phones on VoIP router joseph UK VOIP 3 12-29-2005 06:48 PM
Wireless Network, And Bluetooth Interference With Cell Phones, And Cordless Phones JANA Computer Support 12 03-30-2005 05:28 AM
Wireless Network, And Bluetooth Interference With Cell Phones, And Cordless Phones JANA Computer Security 5 03-29-2005 01:50 AM
Wireless Network, And Bluetooth Interference With Cell Phones, And Cordless Phones JANA Computer Information 5 03-29-2005 01:50 AM



Advertisments