Thanks for the great response Oliver. Here are the results of the next test with the extra line added to the port config.
VLAN 101 is a public by default vlan. VLAN 1 is regular data for registered devices 00:17:95:cf:0f:5b is the mac of Cisco IP (Phone1) 00:17:e0:16:90:3f is the mac of Cisco IP (Phone2) 00e0.9114.675e is the mac of laptop (1) 00a0.d1a4.5a44 is the mac of laptop (2) Switch config on PF Normal VLAN = 1 Registration=101 Isolation=999 (I'm not using isolation but needed a value. I read another post here and changed some settings to make it Guest by Default which is the public vlan, 101) Mac Detect=121(not routable as per PF setup document) Voice=200 Global switch config= snmp-server community TEST*NAC RO snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server enable traps stpx root-inconsistency loop-inconsistency snmp-server host X.X.X.X version 2c TEST*NAC port-security initial port config= interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 0200.0000.0024 switchport port-security maximum 1 vlan access spanning-tree portfast All nodes deleted from PF database. <1 Plug in (Phone1) 5d01h: %ILPOWER-CLUSTER_MEMBER_2-7-DETECT: Interface Fa0/24: Power Device detect ed: IEEE PD 5d01h: %ILPOWER-CLUSTER_MEMBER_2-5-POWER_GRANTED: Interface Fa0/24: Power grante d 5d01h: %LINK-CLUSTER_MEMBER_2-3-UPDOWN: Interface FastEthernet0/24, changed stat e to up 5d01h: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on Interface FastEthe rnet0/24, changed state to up 5d01h: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on Interface FastEthe rnet0/24, changed state to down 5d01h: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on Interface FastEthe rnet0/24, changed state to up port config is now: interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 0200.0000.0024 switchport port-security maximum 1 vlan access spanning-tree portfast mac address of (Phone1) does not show up in PF. > <2 Plug Laptop(1) into the phone 5d01h: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security violation o ccurred, caused by MAC address 00e0.9114.675e on port FastEthernet0/24. 5d01h: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp port config is now: interface FastEthernet0/24 switchport access vlan 101 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e switchport port-security maximum 1 vlan access spanning-tree portfast mac address of Laptop(1) shows up in PF. No computername or dhcp time information is present, just the mac and the switchport it is attached to. (Phone1) still does not show up in PF. Somewhat good but the sudden absence of data collected by PF is unsettling. > <3 Manually register Laptop(1) with PF 5d01h: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp port config is now: interface FastEthernet0/24 switchport access vlan 121 switchport mode access switchport voice vlan 200 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 00e0.9114.675e spanning-tree portfast mac address of Laptop(1) shows up in PF. No computername or dhcp time information is present, just the mac and the switchport it is attached to. (Phone1) still does not show up in PF. The line that I added "switchport port-security maximum 1 vlan access" is now gone from the port config and the vlan has changed to 121, the mac detect vlan that has no ip addresses associated > <4 Unplug Laptop(1) and replug it to the same way as in step 3 No trap sent (because the switch already knows this mac) therefore no change in the port config, leaving Laptop(1) in the mac detect vlan with no connectivity. Any other advice is greatly appreciated. Kurt
------------------------------------------------------------------------------
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
