06-28-2010 11:07 AM - edited 03-06-2019 11:47 AM
So I have always used the following config:
switchport port-security maximum 2
But I was on the phone recently from TAC and they said I needed to set it to three maximum. Any idea if this is correct or should I keep
06-28-2010 11:33 AM
Hello Bill,
the explanation is that the first phone boot will happen in the untagged data vlan, so the port may see 3 MAC addresses:
phone and PC MAC address in data vlan
phone MAC address in voice vlan
It is enough to shut a port providing POE to a phone to see this by using sh mac address-table interface typex/y after no shut several times
so you need 3 MAC addresses for ports where an IP phone with a PC port connects to.
Hope to help
Giuseppe
06-28-2010 12:33 PM
So what about using something like this:
switchport port-security aging time 60
switchport port-security aging type inactivity
switchport port-security maximum 2
I know if I leave it at maximum 3 I will get asked why I am leaving the possibility open for a rouge device to be plugged in. If I have to allow a third MAC I might as well not put port-security on the ports.
06-29-2010 12:19 AM
just a rough thinking, a rogue user may may connect other rogue devices in place of the phones or pc.
>>switchport port-security maximum 2
the command merely restrict to 2 device per port, not to specific devices
a alternative solution, though it is not scalable. managing small number may still be okie.
>switchport port-security mac-address
>switchport port-security mac-address
a better solution may be 802.1x.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: