How many MAC’s for Cisco IPT setup

Bill19795_2 · ‎06-28-2010

So I have always used the following config:

switchport port-security maximum 2

But I was on the phone recently from TAC and they said I needed to set it to three maximum. Any idea if this is correct or should I keep

Giuseppe Larosa · ‎06-28-2010

Hello Bill,

the explanation is that the first phone boot will happen in the untagged data vlan, so the port may see 3 MAC addresses:

phone and PC MAC address in data vlan

phone MAC address in voice vlan

It is enough to shut a port providing POE to a phone to see this by using sh mac address-table interface typex/y after no shut several times

so you need 3 MAC addresses for ports where an IP phone with a PC port connects to.

Hope to help

Giuseppe

Bill19795_2 · ‎06-28-2010

So what about using something like this:
switchport port-security aging time 60
switchport port-security aging type inactivity 
switchport port-security maximum 2

I know if I leave it at maximum 3 I will get asked why I am leaving the possibility open for a rouge device to be plugged in. If I have to allow a third MAC I might as well not put port-security on the ports.

cashqoo · ‎06-29-2010

just a rough thinking, a rogue user may may connect other rogue devices in place of the phones or pc.

>>switchport port-security maximum 2

the command merely restrict to 2 device per port, not to specific devices

a alternative solution, though it is not scalable. managing small number may still be okie.

>switchport port-security mac-address c_address>
>switchport port-security mac-address

a better solution may be 802.1x.