I have documented what I see as some problems with the way PF works when Voip phones are introduced. I hope you can follow this and give some input as to why this is happening and if there is a simple switch configuration fix for this scenario.
Using ZEN 1.87 Catalyst 3560 Version 12.2(25r) I start with a blank switchport that is configured for an IP phone with a phony mac address VLAN 101 is a public by default vlan. VLAN 1 is regular data for registered devices 00:17:95:cf:0f:5b is the mac of Cisco IP (Phone1) 00:17:e0:16:90:3f is the mac of Cisco IP (Phone2) 00e0.9114.675e is the mac of laptop (1) 00a0.d1a4.5a44 is the mac of laptop (2) Global switch config= snmp-server community TEST*NAC RO snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server enable traps stpx root-inconsistency loop-inconsistency snmp-server host X.X.X.X version 2c TEST*NAC port-security <1: Start with a blank config interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 0200.0000.0024 > <then plug in a cisco (Phone1). It auto registers with PF and the port config is. interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 0200.0000.0024 > <2: then plug in a laptop (1) to the phone 21:50:10: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 00e0.9114.675e on port FastEthernet0/24. 21:50:13: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp Port config is now (mac address has changed and vlan is correct) Good interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e > <3: register (Laptop1) with the PF server 21:54:59: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp Vlan has changed for the registered device. Excellent Vinterface FastEthernet0/24 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e > <4: So far, so good but Unplug the Cisco Phone and introduce a new unregistered (Laptop 2) directly to the switchport. This appears to be a very simple bypass of the whole system No trap is sent to PF. The new machine does not show up on the PF server at all and switch port stays at the last VLAN that was configured which in this case is VLAN 1. Not good. 22:01:15: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on Interface FastE thernet0/24, changed state to up interface FastEthernet0/24 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e > <5: Next problem, Unplug everything from this switchport and introduce a different Cisco (Phone2) No trap is sent, ip phone is granted access, no entry in PF regarding the new phone 22:11:05: %ILPOWER-CLUSTER_MEMBER_2-7-DETECT: Interface Fa0/24: Power Device det ected: IEEE PD 22:11:05: %ILPOWER-CLUSTER_MEMBER_2-5-POWER_GRANTED: Interface Fa0/24: Power gra nted 22:11:09: %LINK-CLUSTER_MEMBER_2-3-UPDOWN: Interface FastEthernet0/24, changed s tate to up 22:11:10: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on Interface FastE thernet0/24, changed state to up Port config has not changed. interface FastEthernet0/24 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e > <6: Plug in unregistered (Laptop 2) to the newly introduced Cisco IP (Phone2) 22:17:22: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 00a0.d1a4.5a44 on port FastEthernet0/24. 22:17:27: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X VLAN and mac have changed. (Laptop2) now shows up in PF as an unregistered device. Good but a little late interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00a0.d1a4.5a44 > <7: Unplug and the phone from the switchport. Plug the registered Laptop (1) into the phone before powering. Plug in the phone. Get an endless supply of this. (Phone2) is now a problem 22:26:03: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:26:07: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:26:18: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:26:23: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:26:51: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:26:55: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:26:59: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:26:59: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:27:03: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:27:07: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:27:11: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:27:23: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:27:27: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:27:31: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address 0017.e016.903f on port FastEthernet0/24. 22:27:31: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp 22:27:35: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp Port config has not changed even though it should now be changed to vlan 1 for (Laptop1) interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00a0.d1a4.5a44 > <8: Unlpug and replug the registered (Laptop1) into the Cisco phone Same results as directly above. Endless violation messages and messages saying that the port is reconfigured and nothing happens with the switch configuration. > <9: Unlpug and replug the unregistered (Laptop2) into the Cisco phone Same results as above. Endless violation messages and messages saying that the port is reconfigured and nothing happens with the switch configuration. It is now stuck and the only way to fix it is to blank out the port config again. I would hate to have to go and delete mac addresses from a port every time a phone is swapped out. The security problem associated with step 4 is well, a problem. At this point I can't start putting this into production. If I had no phones I think that this would work perfectly.
------------------------------------------------------------------------------
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
