port-security with voice vlan "Sticky"

Unanswered Question
Aug 7th, 2007


I have the following :

Why does the Cisco 7960 phone NOT put a sticky mac address automatically under the switchport, just the PC does?

It seems to work, but am not sure why.

Also, I dont require "maximum macs" to be set to 3 do I? Like when you use Avaya?

Many thx indeed,



interface FastEthernet1/0/10

description IP Phone with desktop connected

switchport access vlan 10

switchport mode access

switchport voice vlan 20

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address sticky

switchport port-security mac-address sticky aaaa.bbbb.cccc

no ip address

duplex full

speed 100

priority-queue out

no mdix auto

switch#sh mac-address-table int fa 1/0/10

Mac Address Table


Vlan Mac Address Type Ports

---- ----------- -------- -----

10 aaaa.bbbb.cccc STATIC Fa1/0/10

20 dddd.eeee.ffff STATIC Fa1/0/10

Total Mac Addresses for this criterion: 2


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
b.hsu Mon, 08/13/2007 - 05:59

the normal procedure is to set max mac-address to 3 for port security

kfarrington Mon, 08/13/2007 - 06:06

Hi there :)

Well I read this all the time, but my Cisco IPTs work with the setting of only two, and if I increase the maximum to 3, is this not creating a security hole?

Many thx for the reply and look forward to more comments :))



e.huntley Mon, 08/13/2007 - 06:52

You have to do 3 because when the phone first boots up in goes into the default VLAN, not the voice VLAN. Once CDP kicks in, it goes into the voice VLAN

kfarrington Mon, 08/13/2007 - 06:56

Umm. still a tad confused as all of my phones are working, as SecureDynamic and my PCs are SecureSticky, but I did configure the port-sec after the phone had been booted.

I think I will need to take a walk to where the phones are and power cycle the phone, to see if it breaks?

Will get back to you shortly :))

Cheers to all


tgryting Sun, 11/14/2010 - 15:36

Cisco Foundation Learning Guide pg 347 - "switchport port-security mac-address sticky" command cannot be used on ports where voice VLANs

are configured...(although the book does not elaborate as to why not...)


This Discussion