Solved: Why do switches maintain phone MAC in data vlan in MAC table?

Paul Morgan · ‎05-09-2014

Probably an easy answer this one.

Im doing some mentoring with new recruits to the network support team and need a technical answer.

We are using C2960s with voice and data vlans on all ports.

The switches add the phone's MAC to the data vlan and voice vlan in the MAC Address tables. But why doesnt the phone MAC time out from the data vlan?

So as seen below, vlan169 for phones, vlan177 for data.

DEPOT2960A#sh mac add int g1/0/35
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
169    0800.0f34.162e    DYNAMIC     Gi1/0/35
177    0800.0f34.162e    DYNAMIC     Gi1/0/35
Total Mac Addresses for this criterion: 2

Shouldnt the MAC learned in vlan177 timeout since the phone is now running on vlan169?

Thanks,

Paul

kylebrogers · ‎05-12-2014

What I was trying to explain in my post was that the phone is technically using a trunk to the switch. The 2 VLANs on that trunk are the data VLAN and the voice VLAN. The phone is maintaining a layer 2 presence on both of those VLANs at all times so it should be sending CDP info both tagged (with the voice VLAN and untagged (gets put on the data VLAN by the switch port) at all times. It's sending CDP on both VLANs.

View solution in original post

Gordon Ross · ‎05-09-2014

My guess would be the CDP/LLDP packets the phone sends & receives.

GTG

Please rate all helpful posts.

kylebrogers · ‎05-09-2014

If the switchport has access vlan 177 and voice vlan 169 on it, the phone will tag voice traffic as 169 and send it out its interface, which is why you see the 169 reference. It will send CDP traffic and any traffic from a PC that is routed through the phone on VLAN 177, but originating from the same MAC. If you don't have a PC attached, the initial CDP will still come on the data VLAN.

When the phone is first plugged in (or as soon as it starts a reboot) it sends a CDP to the switch to say "I'm a Cisco phone. Here is my info and I need X.X Watts of power sent to me." Because the phone hasn't received any info from the switch yet to tell it what the voice VLAN will be, this traffic will be passed untagged from the phone to the switch and the switchport will put that layer 2 CDP traffic on the data VLAN. I'm guessing subsequent CDP traffic probably goes to both VLANs since the link between the phone and the switch is essentially a trunk. You don't issues a switchport mode trunk command (unless you do things the old way) and it won't show up as a trunk but the switch will treat it like a trunk as soon as you give it a voice VLAN.

Hopefully that made some sense.

Paul Morgan · ‎05-09-2014

Thanks so far for your replies but this doesnt go beyond what is already known. The phone contacts the switch 'blind' with CDP and then moves into the phone vlan.

Once in the phone vlan (169), why does the MAC remain in the MAC table on the data vlan? Why does any contact come from the phone on the data vlan (if that is what is happening)?

Thanks.

kylebrogers · ‎05-12-2014

What I was trying to explain in my post was that the phone is technically using a trunk to the switch. The 2 VLANs on that trunk are the data VLAN and the voice VLAN. The phone is maintaining a layer 2 presence on both of those VLANs at all times so it should be sending CDP info both tagged (with the voice VLAN and untagged (gets put on the data VLAN by the switch port) at all times. It's sending CDP on both VLANs.

Paul Morgan · ‎05-12-2014

Hi Kyle,

thanks again.

So if the switch maintains the phone's MAC in its MAC and ARP tables on the data vlan, does that mean the phone receives all broadcast traffic on that vlan? Is that desirable?

kylebrogers · ‎05-12-2014

It would receive ARP broadcasts (since it has layer 2 connectivity), but would never respond since it's layer 3 interface is on the voice VLAN and not the data VLAN. So broadcasts to the FFFF.FFFF.FFFF MAC would be received.

I don't believe it would receive any IP broadcasts because it doesn't have an IP in the data subnet to receive it on. So layer 3 broadcasts to the broadcast IP of the data subnet should not be received.

I believe that's how it should be, but I'm going to do some digging. I don't believe L3 broadcasts simply drop down to L2 to perform the broadcast, but it's been years since I've looked at the details of basic IP broadcasting. I'll let you know what I find.

As for the desirability of that behavior, it's not different than what happens to a data-only port. You need the PC behind the phone to be able to receive broadcasts (or at least they wouldn't want to cut off your ability to receive them). If you had a situation where you were only going to have a phone on a port you could just take "switch port access VLAN XXX" off of the port and that should stop it from registering in the ARP table under the data VLAN. You could also disable the PC port for the phone in Call Manager.

Paul Morgan · ‎05-12-2014

Ok thanks for you help.

I think the phone and the phone's internal switch are causing this issue as the switch, as you said, will be maintaining a trunk port so would need contact on both vlans. This is possibly why even without a PC attached, it still transmits on both vlans.

Ill explain it that way.

Many thanks.