MAC Security on 6500 issue

[Dave151]

We are thinking of adding MAC security to our user ports on our Catalyst 6500 stacks.

As a test I’ve tried to switch on Mac Security for one port Gi7/46. I’m receiving couple of errors when trying to add security which are related to setting the port to ‘nonnegotiate’

I’ve copied the errors below. Can you tell me what I would need to do to switch on MAC security?
!
interface GigabitEthernet7/46
description DGX02
switchport
switchport access vlan 160
switchport voice vlan 155
no ip address
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
!

Mars#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Mars(config)#inter gi7/46
Mars(config-if)#sw
Mars(config-if)#switchport port
Mars(config-if)#switchport port-security
GigabitEthernet7/46 is dynamic port. port-security parameters cannot be set.
Use the command 'switchport nonegotiate' to force the port to non dynamic.

Mars(config-if)#sw
Mars(config-if)#switchport non
Mars(config-if)#switchport nonegotiate
Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.
Mars(config-if)#

 

[ADB100]

You need to set the port as an 'access only' port:

interface GigabiEthernet7/46
 switchport mode access

By default ports that are defined as 'switchport' are dynamic and will attempt to negotiate trunking.

Andy

 

[Dave151]

Problem being when I set the switchport mode access command the IP phone connected to this port (voice vlan 155) is unable to dial out.

Only when I take this command off and shut and no shut the port does the phone work again.

In theory I should be able to have the following?:

interface GigabiEthernet7/46
switchport mode access
switchport access vlan 160
switchport voice vlan 155

Doesn't having two Vlan configured on the port mean it's not an access port but in fact a trunk?

 

[ADB100]

You don't need to configure the port as a trunk to get an IP Phone to work. Set the port to access and set both the access VLAN and the voice VLAN.
Technically it is a trunk, however it is 'psuedo-trunk' - it has a Native VLAN (the Access VLAN) and a single 802.1q tagged VLAN (the Voice VLAN).
This is the configuration I have on one of my Catalyst 3550 switches:

interface FastEthernet0/1
 switchport access vlan 11
 switchport mode access
 switchport voice vlan 101
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security aging time 3
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 mls qos monitor dscp 0 8 24 26 32 46 48 56
 mls qos monitor packets
 wrr-queue bandwidth 5 25 70 1
 wrr-queue cos-map 1 1
 wrr-queue cos-map 2 0
 wrr-queue cos-map 3 2 3 4 6 7
 wrr-queue cos-map 4 5
 priority-queue out
 spanning-tree portfast
 service-policy input IPPHONE+PC-BASIC
 ip dhcp snooping limit rate 100

HTH

Andy