Port Security

[arvindai]

Hi I need to configure port security on Cisco 3750. Now the thing is I have configured the switch ports as trunk ports and every port is connected to a IP phone and PC. The problem is that when I apply port security it accepts the command but it doesn't work and if I plug in different device it starts working as well. The commands I am applying

interface FastEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 432
switchport mode trunk
switchport voice vlan 231
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 0008.0260.0c1f
mls qos trust cos
spanning-tree portfast trunk
end

 

[ADB100]

First off the port is configured wrong, or at least not optimally. You have the port hard-coded as a trunk, this isn't needed if it is just an access port supporting an IP Phone and a piggy-backed PC. What you have will allow all VLANs configured on that switch to be presented to that port as well as that port accepting traffic from them. Change the 3750 access ports as follows:

interface FastEthernet1/0/1
 switchport access vlan 432
 switchport mode access
 switchport voice vlan 231
 switchport port-security maximum 1 vlan access
 switchport port-security maximum 1 vlan voice
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0008.0260.0c1f vlan voice  !! Assuming that's the IP Phone?
 priority-queue out
 spanning-tree portfast

I assume you are talking about leaving the IP Phone connected and changing the attached PC? If that is the case then it should work, however the default timers will kick in (3-minutes) so if there was a 3-minute delay in connecting the PC it would age out the secure MAC address and happily accept the new one. If you want to make the switch only ever accept the original PC then you need to turn on the 'sticky' function (switchport port-security sticky). This will stop the aging of the learned MAC address, however in my opinion it's a pain to administer.

Andy

 

[ADB100]

Some info here:

http://www.cisco.com/en/US/docs/swi...se/configuration/guide/swtrafc.html#wp1038501

Andy

 

[arvindai]

would like to know if the port is in access mode does it carry the QOS from the IP phone as we tag voice traffic across while it transverse on trunk link

 

[ADB100]

would like to know if the port is in access mode does it carry the QOS from the IP phone as we tag voice traffic across while it transverse on trunk link

Yes, if you include the 'mls qos trust cos' command. When you use Voice VLANs on access ports the port is a 'psuedo-trunk' whereby it allows two VLANs - the untagged Access VLAN and a single 802.1q Tagged Voice VLAN. Since the Voice VLAN traffic is tagged with the 802.1q header it will contain the 4-bit 802.1p CoS header.

Trusting is CoS is not really recommended however since it is very easy to spoof by an end user (Sniffer, discover Voice VLAN tag, add a Virtual Adapter with the same Tag and then transmit away...). Ideally you should be using DSCP and deploying access-layer QoS policies to classify traffic and ensure traffic policy is adhered to. CoS (& DSCP) can be set by any IP end station (CoS only if its tagged with 802.1q) so ideally a policy should developed and deployed.

HTH

Andy