cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
3
Replies

How many MAC’s for Cisco IPT setup

Bill19795_2
Level 1
Level 1

So I have always used the following config:

switchport port-security maximum 2

But I was on the phone recently from TAC and they said I needed to set it to three maximum. Any idea if this is correct or should I keep

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Bill,

the explanation is that the first phone boot will happen in the untagged data vlan, so the port may see 3 MAC addresses:

phone and PC MAC address in data vlan

phone MAC address in voice vlan

It is enough to shut a port providing POE to a phone to see this by using sh mac address-table interface typex/y after no shut several times

so you need 3 MAC addresses for ports where an IP phone with a PC port connects to.

Hope to help

Giuseppe

So what about using something like this:

switchport port-security aging time 60
switchport port-security aging type inactivity 

switchport port-security maximum 2

I know if I leave it at maximum 3 I will get asked why I am leaving the possibility open for a rouge device to be plugged in. If I have to allow a third MAC I might as well not put port-security on the ports.

just a rough thinking, a rogue user may may connect other rogue devices in place of the phones or pc.

>>switchport port-security maximum 2

the command merely restrict to 2 device per port, not to specific devices


a alternative solution, though it is not scalable. managing small number may still be okie.

>switchport port-security mac-address c_address>
>switchport port-security mac-address

a better solution may be 802.1x.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco