IP Phone and port-security protect mode, phone re-registering

Unanswered Question
Jul 22nd, 2010

Hi all,

I've been troubleshooting this issue for last week, we have 5x WS-C3750-48P switches in a stack with

Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(52)SE

and 7941 IP Phones with Firwamware: TERM41.7-0-3-0S

Have tried following firmware as well, with same result: SCCP41.8-4-3S


Switchport configuration:

interface FastEthernet5/0/22

description DESKTOP & VOIP PORT

switchport access vlan 303

switchport mode access

switchport voice vlan 4

switchport port-security

switchport port-security maximum 2

switchport port-security aging time 5

switchport port-security violation protect

ip access-group 100 in

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

no mdix auto

storm-control broadcast level 1.00

storm-control multicast level 1.00

storm-control action shutdown

spanning-tree portfast


Problem description:

For some reason, once in a while the switch sees the MAC address of the phone in both VLAN's, data and voice.

like this:

MOR-SBE-ASW03#show port-security interface f5/0/22 address

          Secure Mac Address Table


Vlan    Mac Address       Type                     Ports   Remaining Age


----    -----------       ----                     -----   -------------

303    001e.135c.efe4    SecureDynamic            Fa5/0/22     5

303    0026.b9ce.a499    SecureDynamic            Fa5/0/22     5


Total Addresses: 2

And therefore the phone can't communicate with the CallManager, therefore trying to re-register.

But it can't re-register until the Aging time on the switchport ages out the MAC on vlan 303 (data), and if we're lucky then it learns it on VLAN 4 just in time to register the phone.

I can't reproduce the problem. It happens quite a few times per day.

It does not happen to all the phones on this switch. Only to some of them.

Have done following troubleshooting steps:

1) If I remove port-security it works fine.

2) If I put port-security violation mode shutdown/restrict, it works fine too. It seems to happen with only protect mode.

3) It does not happen to all phones.


I do not understand why the switch learns the phone's MAC in a Data VLAN 303. It should appear only in voice vlan.

Will appreciate any help,



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sufle Thu, 07/22/2010 - 06:45

Just to add more thoughts.

port-security should be triggered only if MAC addresses exceed MAX defined per-port.

So if it sees IP Phones MAC address twice, say in Access VLAN and Data VLAN it should still consider it as only 1 MAC address +1 PC MAC address and should not start protecting the port.

But for some reason, this does not happen with violation action: "protect".



This Discussion