Ankur, I remeber being told that when you put port security on a phone port, you should allow for three MAC addresses: one for the phone, one for the PC, and one for the internal mini-switch. Do I understand from this that the phone and the switch are actually the same MAC address? As far as port security is concerned, does this count as three addresses because it is on different VLANs.

Kevin Dorrell

Luxembourg

Hi Kevin,

Yes you are correct. Basically the reason it ask to configure 3 mac address is presuming 2 mac addresses will be learned from the ip phone one on voice vlan and one on data vlan and the third can be variable because you can connect more than 1 machine, connecting a switch instead of machine and then connecting multiple machines on that switch.

Regards,

Ankur

HI Kevin,

On my network, VoIP & PC are both connected to same switchport. When I assign port security, with single mac-add allowed on port, the port shutdown which is obvious. but when I allow 2 mac's, then things work perfectly.

The question is, why allow 3 mac's when practically its working with 2 mac's allowed.

Hi Narayan,

Which switch model the ip phones are connected? Also can you post the "sh run int "?

Regards,

Ankur

Its 2950 & 2960 switch.

Do you see the three MAC addresses in the show mac-address-table like in the orginal posting?

I am not yet 100% clear about this behavior. I wonder if there are different models of phone that behave in different ways.

I am relying on you guys to tell me about it because I have no Cisco phones to get direct experience from.

Kevin Dorrell

Luxembourg

Hi all,

Thanks very much for the reply. We use 3770 switches. Here's the result from my testing.

If port-security is implemented, with max over 2 (ie 10), it will only learned 2 mac address, PC mac on the data vlan and phone mac on the voice vlan. If a max of 2 is specified, it will work.

If NO port-security is implemented, it will learned 3 mac address, pc mac on the data vlan and phone mac on the data vlan and voice vlan (as posted earlier).

The behavior is quite strange. Can you explain this?

Thanks.

PF

Hi PF/Narayana,

Can you confirm me which release are you running on your switches. It will be great if you can update the release which you have with the exact model number of your switch and ip phones. I just had a glance and seems that some behavior is been changed in some latest releases.

Once I get an update from you people I will try to get the exact behavior.

Regards,

Ankur

Hi PF/Narayana/Kevin,

I found something which may be helpfull for all

Bug ID : CSCea80105

When a Cisco IP Phone is connected to the switch, its MAC address is learned on both the port VLAN identification (PVID) and the voice VLAN identification (VVID). However, when the dynamic MAC addresses are either manually or automatically removed due to a topology change or enabling or disabling the port security or IEEE 802.1x feature, the Cisco IP Phone's MAC address will only be re-learned on the VVID. This occurs when the Cisco IP Phone is connected to a Cisco Catalyst 2970, 3560, or 3750 and the Cisco IP Phone is using software without the fix for Bug: CSCed84163.

When configured for a Voice VLAN, the phone sends untagged Cisco Discovery Protocol (CDP) packets and tagged voice packets. All frames from any devices connected to the Cisco IP Phone are sent tagged with the access VLAN ID. Catalyst 2970, 3560, and 3750 switches do not populate the secure address-table with the source MAC address from CDP packets.

The workaround is that when using Cisco IP Phones with the fix for CSCed84163 and port-security configured on the switchport, configure switches with one secure address for the phone, plus additional MAC addresses for any devices connected to the Cisco IP Phone.

HTH

Ankur

*Pls rate all helpfull post

Ankur,

The model number is WS-C3750-48PS-S and the version is 12.2(25)SEE2.

Thanks.

PF

Hi PF,

My last post should answer/explain the behvaior what you observed.

HTH

Ankur

Ankur,

If you leave it the way it is (no port-security implemented), mac-add of the IP phone on the voice vlan and the data vlan, wil this cause any performance issue?

With port security implemented, mac-add of the IP phone only appears on the voice vlan. Does this mean implementing the port security is masking the problem?? Is configuring SECURE MAC necessary as mentioned in the workaround?

I am just trying to understand this more.

Thanks.

PF