port-security and IP Phones

Discussion in 'Cisco' started by firewallstarter@hotmail.com, Jul 13, 2007.

  1. Guest

    I've seen a problem with the port-security feature on switches when
    you connect through an IP phone.

    The problem arises when a data device, connected through an IP phone,
    is moved from one port to another on the same switch. When the data
    device is attached to the new port it has no connectivity.

    The cause of the problem is the fact that the phone keeps the switch
    port up even though you may plug out a device from the data port on
    the phone. This means that the switch port-security entries are not
    cleared. The switch sees that the mac address of the data device is
    attached to the old port so it does not open on the new port until
    it's cleared from the old one.

    To clear the port-security entries you can disconnect the IP phone,
    causing the port to drop or you can run the following command

    clear port-security dynamic address A.B.C (where A.B.C is the mac
    address of the data device)

    This results in problems with laptop mobility on an office floor.

    I've seen this problem on a Cisco 4506 running cat4500-ipbasek9-mz.
    122-37.SG.bin

    Has anybody else seen this and does anybody know of a solution?

    As always your help is appreciated.
    FWS
    , Jul 13, 2007
    #1
    1. Advertising

  2. Peter Guest

    Greetings,

    On Fri, 13 Jul 2007 16:02:44 UTC, wrote:

    > I've seen a problem with the port-security feature on switches when
    > you connect through an IP phone.
    >
    > The problem arises when a data device, connected through an IP phone,
    > is moved from one port to another on the same switch. When the data
    > device is attached to the new port it has no connectivity.


    You need to modify the MAC Address table Timeout value for any port
    enabled for IP Telephony to a shorter value to allow PC mobility
    between these ports. On our switches (3560's) we use 2 minutes and
    find that works well enough (except for the really inmpatient people
    that only wait 5 seconds before screaming......;-)).

    Cheers.................pk.


    --
    Peter from Auckland.
    Peter, Jul 13, 2007
    #2
    1. Advertising

  3. Guest

    Peter,
    thanks for the response. I checked out the MAC address table
    timeouts and this is set to 300 seconds the default but when I remove
    the PC from the port on the IP phone it does not clear from the table
    after 5 mins. In fact the MAC address was still known on that port
    the following day.

    The solution is to enable aging timeouts within the port-security
    config on each interface with the commands below.

    switchport port-security aging time 1
    switchport port-security aging type inactivity

    So the port-security config on the switch reads like this now

    switchport port-security
    switchport port-security maximum 3
    switchport port-security aging time 1
    switchport port-security aging type inactivity

    This results in the mac address aging out of both the mac-address-
    table and the port-security table after 5 mins of activity.
    This solves the problem of the moving a PC from one port to another on
    the same switch.

    I've spotted reference to this problem on the cisco web site here

    http://www.cisco.com/en/US/products..._guide_chapter09186a008082a26d.html#wp1127231


    "If a secure MAC address is secured on a port, that MAC address is not
    allowed to enter on any other port off that VLAN. If it does, the
    packet is dropped unnoticed in the hardware. Other than through the
    interface or port counters, you do not receive a log message
    reflecting this fact. Be aware that this condition does not trigger a
    violation. Dropping these packets in the hardware is more efficient
    and can be done without putting additional load on the CPU."

    FWS in Dublin



    Peter wrote:
    > Greetings,
    >
    > On Fri, 13 Jul 2007 16:02:44 UTC, wrote:
    >
    > > I've seen a problem with the port-security feature on switches when
    > > you connect through an IP phone.
    > >
    > > The problem arises when a data device, connected through an IP phone,
    > > is moved from one port to another on the same switch. When the data
    > > device is attached to the new port it has no connectivity.

    >
    > You need to modify the MAC Address table Timeout value for any port
    > enabled for IP Telephony to a shorter value to allow PC mobility
    > between these ports. On our switches (3560's) we use 2 minutes and
    > find that works well enough (except for the really inmpatient people
    > that only wait 5 seconds before screaming......;-)).
    >
    > Cheers.................pk.
    >
    >
    > --
    > Peter from Auckland.
    , Jul 20, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JANA
    Replies:
    12
    Views:
    1,272
    Princess Antonomasia
    Mar 30, 2005
  2. joseph
    Replies:
    3
    Views:
    1,225
  3. JANA
    Replies:
    5
    Views:
    829
    Damian
    Mar 29, 2005
  4. JANA
    Replies:
    5
    Views:
    704
    Damian
    Mar 29, 2005
  5. FREECELLS

    GET FREE CELL PHONES and CAMERA PHONES!

    FREECELLS, Feb 11, 2006, in forum: Digital Photography
    Replies:
    0
    Views:
    341
    FREECELLS
    Feb 11, 2006
Loading...

Share This Page