Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VOIP and port security with mac sticky not working as expected using max 1 vlan access

Hello,  Our VoIP phones with PC connected trip port security because phone registers it's MAC in the Access VLAN before moving into the Voice VLAN.

Please let us know the proper config to make this work and allow only 1 MAC in the Access VLAN!

Cisco 3750x-48P with 15.0(2)SE4 IOS

Nortel 1120E VoIP phone.

Current port security config:

 

interface GigabitEthernet1/0/13

 switchport access vlan 205

 switchport mode access

 switchport voice vlan 411

 switchport port-security maximum 2

 switchport port-security maximum 1 vlan access

 switchport port-security maximum 1 vlan voice

 switchport port-security

 switchport port-security mac-address sticky

 powerinline consumption 8000

 etc.

 


 

2 REPLIES
Green

Hi,Just as a test can you

Hi,

Just as a test can you remove the port security from an interface.

!
int g1/0/13
shut
no  switchport port-security maximum 2
no switchport port-security maximum 1 vlan access
no switchport port-security maximum 1 vlan voice
no switchport port-security
no switchport port-security mac-address sticky
no shut
!

Now look at the mac addresses that are learned on g1/0/13
once the phone has booted and the pc is online

show mac address-table dyn int g1/0/13

Iam sure you will see 3 addresses
2 - the PC & phone in the access vlan
1 - the phone in the voice vlan.

For me that means you have to apply your security as:-

!
int g1/0/13
shut
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
no shut
!

Hope this helps
Regards
Alex

Regards, Alex. Please rate useful posts.
New Member

I figured out the issue.The

I figured out the issue.

The VoIP phones jump into the access VLAN just long enough to trip port security "IF" the VoIP MAC isn't already known by the interface config. 

However, once the VoIP MAC is part of the interface config, things work as expected, and the phone MAC doesn't go into the access VLAN even after rebooting switch with saved config and/or phone.

Removing the VoIP MAC for the interface config with

clear port-security sticky interface

or

clear port-security all

will make the switch have to relearn the VoIP MAC and it will go into the access VLAN for a few seconds and trip port security.

  So don't use those commands to clear port security.  Use this command after finding the MAC address that caused the port security error in the switch log:

clear port-security sticky address xxxx.xxxx.xxxx

Anytime a phone is connected to a port for the very first time, let the phone boot up before connecting the PC so that the phone MAC jumps into the access VLAN and gets moved to the voice VLAN before the PC MAC registers in the access VLAN.

Like I said, once the VoIP MAC is part of the interface config, it doesn't matter if the PC is connected to the phone anymore.  Things work as expected.

:)

 

 

442
Views
0
Helpful
2
Replies