Port Security

a.hajhamad · ‎09-17-2007

Hi,

I'm configuring a 3560 switch port for port security using Sticky, from my reading, we can't use sticky mac for voice vlan, and we need to set the maximum mac-addresses to min 3 since two mac-addresses will be used by Cisco ip phone and the third for my laptop.

My question, i connected a Cisco ip phone to the switch port and my laptop connected to the ip phone, only one mac address is appeared at the running config for voice vlan and one for my laptop, so why Cisco talks that we need to define two mac addresses for IP phone?

Thanks in advance

Abd Alqader

Hieu Cao · ‎09-17-2007

I encountered the same issue as you have, so I set it to "2", and it worked just fine...

hieu

szahid · ‎09-17-2007

this was a bug. It has been fixed in 12.2(25)SEE images and later . The bug id is CSCea80105 . After the fix of this bug , you should not have to configure 3 mac addresses and 2 mac-addresses should work fine in this env.

thanks

Salman.

szahid · ‎09-17-2007

We actually encountered another bug in 12.2(35)SE1 and 12.2(37)SE in which case the 2 macs per interafce ( 1 for vvlan and 1 for data vlan) did not work. That bug got resolved in 12.2(40)SE . the bug id is CSCsj47067. In short , you will need 12.2(40)SE if you want to have 2 mac-addresses maximum per interface ( 1 for voice and 1 for data ).

Thanks

Salman.

a.hajhamad · ‎09-17-2007

Thanks Salman. I will check the IOS.

I will get back to you later.

thanks again

Abd Alqader

a.hajhamad · ‎09-19-2007

Hi Salman,

I upgraded the Cisco 3560 from 12.2(25)SEE2 to c3560-ipbase-mz.122-40.SE. Sorry, negative, still the Cisco IP Phone MAC address is found at Data Vlan & Voice VLAN.

Please see the details below

---

Data VLAN: 28

Voice VLAN: 29

With IOS ver IPBASE-M 12.2(25)SEE2

? Before Connecting the IP Phone, only my laptop is connected

Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 1

Port_S#

? After Connecting the IP Phone

Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

28 0019.e883.44b1 DYNAMIC Fa0/1

29 0019.e883.44b1 DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 3

Port_S#

Conclusion: The Cisco IP Phone has one mac address assigned to Data VLAN and the same mac assigned to the voice vlan.

After upgrading the IOS from 12.2(25)SEE2 to c3560-ipbase-mz.122-40.SE

Port_S#

Port_S#show mac-address-table interface fastEthernet 0/1

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

28 0014.c2de.270c DYNAMIC Fa0/1

28 0019.e883.44b1 DYNAMIC Fa0/1

29 0019.e883.44b1 DYNAMIC Fa0/1

Total Mac Addresses for this criterion: 3

Conclusion: The Cisco IP Phone has one mac address assigned to Data VLAN and the same mac assigned to the voice vlan.

As a total, we need 3 mac addresses.

Which means the IOS 12.2(40)SE did not solve this problem.

Thanks

Abd Alqader