Search this Blog

Wednesday, January 20, 2010

“Cannot enable port security on a trunk” error. How to setup port security on a trunk port 2950?

We are using a 3550 switch. When we try to enable port security, the command is rejected "you cannot enable port security on a trunk" is the message. We are trying to enable security on a switch that has both data and voice VLANs configured. In the docs it indicates that you cannot have port security on a trunk port. We are wondering if this was absolutely true as we would like to secure some of our ip phone switch ports that are trunk ports.

Diagnostic Steps
1. When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two secure addresses. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. You cannot configure port security on a per-VLAN basis

2. On a Cisco 3550, you can use the "switchport voice vlan" command along with the "switchport access vlan" command to separate the voice and data traffic without having to use a trunk. This would, however, depend on the phone you are using. Then, since the port would be an access port, you could apply port-security to it.

3. When you connect IP Phones to switch and configure voice vlan command it internally forms a trunk so no special trunk configuration in required.
Please click here for more information.

4. Cisco does not allow you to configure port security in trunk ports cause trunk ports may learn many mac addresses which will defeat the use of port security feature so when you connect ip phones and want port security feature so not configuer ports as trunk and instaed configure as voice vlan for voice traffic and also configuer the same port with access vlan for data traffic.

5. By default, all the ports are in the vlan 1 thats why its not shown in the configuration. even you configure it for VLAN 1. If you configure the port for another VLAN, it will show up in the configuration.

6. Avaya phones do not require an explicit dot1q trunk. You can try this configuration
interface FastEthernet0/2
description to IP phone and PC
switchport access vlan 2
switchport voice vlan 3
mls qos vlan-based
no cdp enable
spanning-tree portfast

7. For Mitel 3300 phone systems with Mitel 5330 IP Phones try the following –
interface FastEthernet0/30
switchport mode access
switchport voice vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast

8. Also this configuration will be useful using trunk port with port security
int fax/x
switchport mode trunk
switchport port-security
switchport port-security mximum 2
switchport port-security mximum 1 vlan 5
switchport port-security mximum 1 vlan 1
If you have trunk with vlan 1 and 5 this configuration will make the max mac address to 2 and 1 per VLAN as well

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */