VoIP Phones on Voice VLAN with IP Source Guard

jbond00747 · ‎10-09-2008

I'm running into a problem with VoIP phones not working properly when the port they are connected to is configured with "ip verify source port-security". It appears the phone boots and gets an IP address, but beyond that it just hangs. I do not have DHCP snooping enabled for the voice vlan, but enabling it doesn't seem to make any difference. (No IP binding shows up even when DHCP snooping is enabled on the voice vlan.) The switch in question is a 3750 running 12.2(44)SE2. Is there any way I can make this work short of turning off IP source guard?

CHRIS CHARLEBOIS · ‎10-09-2008

Well, let's get some more informtaion before we throw out source guard. Did you enable the DHCP snooping on the data and voice VLANs? Have you tried staticly assigning the IP source bindings? Can you configure a eniffer on a span port to see what is actually happening on that port?

jbond00747 · ‎10-09-2008

DHCP snooping is already on the data vlan, and the switch shows a binding on the port. Enabling DHCP snooping on the voice vlan doesn't change anything. (As I mentioned, I don't see a binding on the voice vlan on that port even with it DHCP snooping enabled for the voice vlan.) I haven't tried doing a static binding, and that isn't a good long term solution as I don't want to put my phones on static IPs. I'll track down the phone IP and try that to see if it is a short term fix. As far as using an RSPAN to sniff the port, will I see the traffic before or after the port-based ACL is applied?

jbond00747 · ‎10-09-2008

I just tried putting in a static source binding and it doesn't work. I put in the static source binding and then added the "ip verify source port-security" line to the interface. Once I did that the phone lost connectivity and started displaying "Registering". After a few seconds that went away and it just sat there. The only stuff on the display was the normal lines it draws across the screen. Nothing was on the lines. (This is a 7941.) As soon as I turned that option back off, it was able to reconnect to the call manager and everything came back to normal.

Interestingly the output of "show ip verify source" didn't show anything for my voice vlan while I had it enabled for the port. It only shows a line for the data vlan.

jason_majie · ‎11-11-2010

after two years, i have hit into the same problem

Any one found a solution already?

thanks

MARVIN SPITERI · ‎11-04-2011

I have same issues - DHCP snooping tables working ARP inspection working - and data no issues - however on Cisco Phones - when I enable 'ip source verify' phones have problems registering - as soon as I remove this line they work perfectly - I then changed this to 'ip source verify portsecurity' and they worked - but now I have intermittent issues - some phones still get stuck on registering... I am using DHCP for the phones - they are getting an IP and I see them in IP dhcp binding table ..

jason_majie · ‎11-07-2011

try upgrade to the newest verison of IOS, last time cisco tec told me it was a bug and resolved the new version. I tested with the new iso and it works fine

Computime SCC · ‎11-08-2011

I just had to rollback from 15 to

Release:12.2.55-SE4

as there is a bug with 15 ....on some switches it gets out of memory ...:( could not even console to it - this is rather erratic as I had different switches some still worked although memory goes from 40% to 80% - others just keep working but are not managable ...

so IOS upgrade is out of the question for me!

any other ideas are welcome ...