How many MAC’s for Cisco IPT setup

Unanswered Question
Jun 28th, 2010
User Badges:

So I have always used the following config:

switchport port-security maximum 2

But I was on the phone recently from TAC and they said I needed to set it to three maximum. Any idea if this is correct or should I keep

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 06/28/2010 - 11:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Bill,

the explanation is that the first phone boot will happen in the untagged data vlan, so the port may see 3 MAC addresses:

phone and PC MAC address in data vlan

phone MAC address in voice vlan

It is enough to shut a port providing POE to a phone to see this by using sh mac address-table interface typex/y after no shut several times

so you need 3 MAC addresses for ports where an IP phone with a PC port connects to.

Hope to help


Bill19795_2 Mon, 06/28/2010 - 12:33
User Badges:

So what about using something like this:

switchport port-security aging time 60
switchport port-security aging type inactivity 

switchport port-security maximum 2

I know if I leave it at maximum 3 I will get asked why I am leaving the possibility open for a rouge device to be plugged in. If I have to allow a third MAC I might as well not put port-security on the ports.

cashqoo Tue, 06/29/2010 - 00:19
User Badges:

just a rough thinking, a rogue user may may connect other rogue devices in place of the phones or pc.

>>switchport port-security maximum 2

the command merely restrict to 2 device per port, not to specific devices

a alternative solution, though it is not scalable. managing small number may still be okie.

>switchport port-security mac-address c_address>
>switchport port-security mac-address

a better solution may be 802.1x.


This Discussion