I am having all 3560E as my edge switches. All the ports are having IP phones connected and PCs are connected to IP phones. I was looking forward to implement port based security.
First of all is it a good practice to MAC based security in such environment ? Second are there any other options to make ports more secure ? Right now the ports are dynamic when i changed them to static with "switchport mode access" and gave commands like "switchport port-security" and "switchport port-security maximum 2" the port was shutdown and i there was no LED on it.
What code version you are running on the switch? In some of the older code
versions, the switch will learn the IP Phone MAC address both in data VLAN
as well as voice VLAN. When the IP Phone boots up, it will not know anything
about the Voice VLAN. Hence, it just comes up as a regular host and sends
untagged packets towards the switch. Switch will receive it in the native
VLAN and then handles it accordingly. The IP Phone will get an IP in the
data VLAN range first and then contacts the TFTP server for IP Phone
configuration. Once it downloads the configuration and realizes the voice
VLAN, it disassociates itself from the data VLAN and sends a new DHCP
request (tagged) on the voice VLAN. In the latest code (fixed) the switch
will remove the IP Phone MAC address association from the Data VLAN.
However, in the older code, the switch will not delete the MAC address from
the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP
Phone and one for the PC). So, it is OK to set the limit to 3 as long as the
duplicate MAC is of the IP Phone alone.
Hope this helps.
That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).