Port Security on Cat 4506 with phone attached

hunnetvl01 · ‎01-27-2009

Hi all,

I have been reading on cisco that if if you want to have port-security enabled on a switchport in a c4500 with both PC and phobe attached , the maximum no of allowed MACs should be three.

Why is that?

Vlad

mahmoodmkl · ‎01-27-2009

Hi

Because the IP Phone as a built-in switch which assigns a mac-address,so the total should be 3 PC+IP PHONE and the internal switch.

Thanks

Mahmood

hunnetvl01 · ‎01-27-2009

Thanks Mahmood,

You mean 2 PCs and 1 Phone no?

The phone has a switch with 2 ports, but anyway it registers in teh CAM as 1 MAC no?

So Phone MAC+ PC MAC = 2 MACs on a port at a time..

Maybe I am being paranoic but sounds logical to me!

Regards,

Vlad

mahmoodmkl · ‎01-27-2009

HI

No the mac-address of the phones internal switch which will same as the phone.

If u see the mac-address table of a interface which is connected to PC and Phone u will find three mac's.

Thanks

Mahmood

hunnetvl01 · ‎01-27-2009

This is why I got confused:

There are only 2 MACs on each switchport:

sh mac-address-table int fa 5/42

Unicast Entries

vlan mac address type protocols port

-------+---------------+--------+---------------------+--------------------

xx 001e.c936.438e dynamic ip FastEthernet5/42

x 0009.6e04.0868 dynamic ip FastEthernet5/42

Vlad

mahmoodmkl · ‎01-27-2009

Hi

Can u post the config of the port.

Thanks

Mahmood

a.cruea1980 · ‎01-27-2009

Just a shot in the dark, but I believe this is due to the phone hitting the switch first as an access device, then as a phone device.

If you watch a phone right after it is hooked up to a Cisco switch, it first connects to the switch as a data device, sends CDP packets, gets the voice vlan, then switches over to the voice vlan to do all its operation.

I could well be wrong, though.

Roberto Salazar · ‎01-27-2009

This depends on what IOS version configuration guide you read, on 12.2(25)EWA it states the following:

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

So, that is total of three if you are only going to connect an IP Phone and a PC to the IP Phones data port to the PC.

On Later code, they allow you to configure maximum secure addresses per VLAN. You can set a maximum for either the data VLAN or the voice VLAN. You can also set a maximum per-port, just as with access ports.