06-28-2010 11:07 AM - edited 03-06-2019 11:47 AM
So I have always used the following config:
switchport port-security maximum 2
But I was on the phone recently from TAC and they said I needed to set it to three maximum. Any idea if this is correct or should I keep
06-28-2010 11:33 AM
Hello Bill,
the explanation is that the first phone boot will happen in the untagged data vlan, so the port may see 3 MAC addresses:
phone and PC MAC address in data vlan
phone MAC address in voice vlan
It is enough to shut a port providing POE to a phone to see this by using sh mac address-table interface typex/y after no shut several times
so you need 3 MAC addresses for ports where an IP phone with a PC port connects to.
Hope to help
Giuseppe
06-28-2010 12:33 PM
So what about using something like this:
switchport port-security aging time 60
switchport port-security aging type inactivity
switchport port-security maximum 2
I know if I leave it at maximum 3 I will get asked why I am leaving the possibility open for a rouge device to be plugged in. If I have to allow a third MAC I might as well not put port-security on the ports.
06-29-2010 12:19 AM
just a rough thinking, a rogue user may may connect other rogue devices in place of the phones or pc.
>>switchport port-security maximum 2
the command merely restrict to 2 device per port, not to specific devices
a alternative solution, though it is not scalable. managing small number may still be okie.
>switchport port-security mac-address
>switchport port-security mac-address
a better solution may be 802.1x.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide