07-04-2012 01:32 AM - edited 03-07-2019 07:36 AM
Dear All,
please help with the proper configuration that i should use to configure port security on cisco 2960 switch with the below setup
i saw two types of setup and i don`t know which one is correct or even better
1-
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
switchport voice vlan 12
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address x.x.x.x vlan voice >> x.x.x.x is the ip phone mac
switchport port-security mac-address y.y.y.y >> y.y.y.y is the pc mac
spanning-tree portfast
2-
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
switchport voice vlan 12
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address x.x.x.x vlan voice >> x.x.x.x is the ip phone mac
switchport port-security mac-address x.x.x.x >> x.x.x.x is the ip phone mac
switchport port-security mac-address y.y.y.y >> y.y.y.y is the pc mac
spanning-tree portfast
my other question beside first of which implementation is better is are these commands important to apply ?
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
Thanks
Ali
07-04-2012 01:38 AM
Hello Ali.
the second configuration template is more correct because during IP phone boot phase it will first be in access data vlan and then later it will reboot and it will be in voice vlan.
So you need to take in account this in port security configuration providing space for two MAC addresses on the data access vlan
With the first configuration you may face issues in case the phone is rebooted with a PC connected to the PC port.
Hope to help
Giuseppe
07-04-2012 01:47 AM
Hi Ali,
Mr Larosa is absolutely right.
The IP Phone can use 2 mac adresses, so you need to set the appropriate number of maximum mac adresses. Try to set it to 3.
according to this document:
When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The address of the IP phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.
Regards
please rate if it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide