Port Security

Unanswered Question
Sep 17th, 2007
User Badges:
  • Bronze, 100 points or more

Hi,

I'm configuring a 3560 switch port for port security using Sticky, from my reading, we can't use sticky mac for voice vlan, and we need to set the maximum mac-addresses to min 3 since two mac-addresses will be used by Cisco ip phone and the third for my laptop.


My question, i connected a Cisco ip phone to the switch port and my laptop connected to the ip phone, only one mac address is appeared at the running config for voice vlan and one for my laptop, so why Cisco talks that we need to define two mac addresses for IP phone?


Thanks in advance


Abd Alqader

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Hieu Cao Mon, 09/17/2007 - 11:57
User Badges:

I encountered the same issue as you have, so I set it to "2", and it worked just fine...


hieu

szahid Mon, 09/17/2007 - 12:03
User Badges:
  • Silver, 250 points or more

this was a bug. It has been fixed in 12.2(25)SEE images and later . The bug id is CSCea80105 . After the fix of this bug , you should not have to configure 3 mac addresses and 2 mac-addresses should work fine in this env.


thanks

Salman.

szahid Mon, 09/17/2007 - 12:12
User Badges:
  • Silver, 250 points or more

We actually encountered another bug in 12.2(35)SE1 and 12.2(37)SE in which case the 2 macs per interafce ( 1 for vvlan and 1 for data vlan) did not work. That bug got resolved in 12.2(40)SE . the bug id is CSCsj47067. In short , you will need 12.2(40)SE if you want to have 2 mac-addresses maximum per interface ( 1 for voice and 1 for data ).


Thanks

Salman.

a.hajhamad Mon, 09/17/2007 - 13:06
User Badges:
  • Bronze, 100 points or more

Thanks Salman. I will check the IOS.

I will get back to you later.


thanks again


Abd Alqader

a.hajhamad Wed, 09/19/2007 - 05:03
User Badges:
  • Bronze, 100 points or more

Hi Salman,

I upgraded the Cisco 3560 from 12.2(25)SEE2 to c3560-ipbase-mz.122-40.SE. Sorry, negative, still the Cisco IP Phone MAC address is found at Data Vlan & Voice VLAN.

Please see the details below


---

Data VLAN: 28

Voice VLAN: 29


With IOS ver IPBASE-M 12.2(25)SEE2


? Before Connecting the IP Phone, only my laptop is connected


Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 1

Port_S#



? After Connecting the IP Phone

Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

28 0019.e883.44b1 DYNAMIC Fa0/1

29 0019.e883.44b1 DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 3

Port_S#


Conclusion: The Cisco IP Phone has one mac address assigned to Data VLAN and the same mac assigned to the voice vlan.


After upgrading the IOS from 12.2(25)SEE2 to c3560-ipbase-mz.122-40.SE



Port_S#

Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------


Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

28 0019.e883.44b1 DYNAMIC Fa0/1

29 0019.e883.44b1 DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 3




Conclusion: The Cisco IP Phone has one mac address assigned to Data VLAN and the same mac assigned to the voice vlan.

As a total, we need 3 mac addresses.

Which means the IOS 12.2(40)SE did not solve this problem.






Thanks


Abd Alqader

Actions

This Discussion