Hi Jaffer,

I tried to remove all static mapping then re-apply it again. But there are really 3 MAC registered on that port defined as static. Also, in the configuration, there are only 2 defined static MAC for the port-security command. What I want to do is to only define a maximum of 2. One MAC for the laptop and one MAC for the VoIP phone.

-John

Hi John,

As per this document : http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/port_sec.htm#wp1053357 you are configuring your port security properly.

Just double check your work and run this company to see how many MACs showing

Router# show port-security address

Thanks,

Jaffer

Actually there are only two MAC addresses registered. It looks like one mac is registering in two vlans. You have voice vlan 3 and data vlan 20 configured on this port and the port is not configured as a trunk. Try configuring the port as a trunk and then configure the port security.

Actually, I'm really confused right now. I don't know why my IP phone which is in VLAN 3 registered it's MAC address in VLAN 20 also. This is what's on my mind. When I configured switchport port-security mac-address on the port, the port is assuming that both MAC address will appear on VLAN 20 (my data vlan). If I set the maximum MAC to 2. Then the MAC address of the IP phone that is trying to register it's MAC on the port will be disallowed because I already configured two static MAC on the port (which the port assumed that both will appear in VLAN 20). I will try to test in on another laptop. I'll get back to you on this.

It worked guys. I tried to plugin another laptop then the it was restricted to access the network. It didn't get an IP address from the DHCP server. I also checked the logs and the switch says that there's a port-security violation. So I think the switchport port-sec mac-add command is just for the data vlan and not for the voice vlan. So I "think" I need to specify max of 3 MAC so the phone can register it's MAC address on VLAN 3. I dunno, it's weird. =)

The reason the Avaya handset registers on the Data VLAN is due to the way it boots.

When it first comes up, it uses the Data VLAN to get it's DHCP address, the DHCP setver provides additional information in the scope, including a flag to use trunkiung, and if so which VLAN to use for voice. The phone then requests another address on the Voice VLAN.

The switch doesn't handle this too well, and thinks you have two seperate devices, with the same MAC address.

Oh ya! That's a great input. Thanks Mark. What I noticed was when I configure switchport port-sec max 2, the phone freezes. It doesn't have a dial tone but my laptop is still connected to the network. Maybe it blocks the MAC address on the Voice VLAN. When I checked other ports, in only has two MAC address on the port (one for VLAN 3 and 20). But maybe the switch flushed the MAC address registered on VLAN 20 that's supposed to be in VLAN 3 (when it was still discovering for DHCP). Mine was statically configured that's why I have 3. Thanks for the great input. :)

John,

I believe thet with port-security the swith blocks the address that exceeds the limitation. So in your case the first address seen is the MAC of the phone on the Data VLAN. Second is the laptop, as the phone starts forwarding traffic as soon as it loads, and last the MAC of the phone on the Voice VLAN.

The reason the other ports have only 2 MAC addresses is probably because they have been running a while, and the arp cache has timed out.

** Please rate posts if helpfull **