cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5750
Views
0
Helpful
5
Replies

2960/Avaya IP phone/Port security problem

gizbri
Level 1
Level 1

This setup has been in place for some time; no new PC's or phones, no changes to switch. Using Avaya IP phones, 2960 POE switch (12.2.44SE6 since upgraded)

Voice VLAN 146 ; PC Vlan 140, below is a typical port config:

interface FastEthernet0/2

switchport access vlan 140

switchport mode access

switchport voice vlan 146

switchport port-security maximum 2

switchport port-security

switchport port-security violation protect

spanning-tree portfast

Port security was never triggered.

Started last week with one phone, a few more yesterday, couldn't contact the DHCP server . Upon review of the mac address table on the switch both devices were assigned to vlan 140. I reset the values on a few  phones, re-configured them for VLAN 146 but still did not work.

Removed port security from the ports and the phone jumped onto vlan 146 and now work.

This is a configuration I have in use in many places, any ideas why this would have happened ?

1 Accepted Solution

Accepted Solutions

Hi,

Sorry for this delayed response.
I wanted to check in my lab today.

On my switch I have shut/noshut int fas 0/25

The phone boots on the DATA vlan 500, it then switches to
the VOICE vlan 501 and re-registers OK

The MAC table shows the MAC address x 2


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
500    0016.caf2.750a    DYNAMIC     Fa0/25
501    0016.caf2.750a    DYNAMIC     Fa0/25
Total Mac Addresses for this criterion: 2
Desk_2960#

5 Minutes later after the MAC aging time has expired (300 seconds)
The MAC count reduces to 1

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
501    0016.caf2.750a    DYNAMIC     Fa0/25
Total Mac Addresses for this criterion: 1
Desk_2960#


So if you had a PC in the back of the PHONE too then you would see
3 MAC adds for 5 mins after reboot then reducing to to 2.

MAC security therefore need need to be set to allow MAX 3 addresss to

alllow reboots from scratch

I can only suggest that you MAC address security was added after the phones were working.

HTH
Alex
please rate useful posts.

Regards, Alex. Please rate useful posts.

View solution in original post

5 Replies 5

acampbell
VIP Alumni
VIP Alumni

Hi,

Avaya/Nortel phones boot (DHCP requests) to the DATA Vlan 1st then they move to Voice Vlan

This is normal if option 191 VLAN discovery is set.

The phone does not drop the post on vlan switching

Try changing

switchport port-security maximum 2

to

switchport port-security maximum 3

Regards

Alex

Regards, Alex. Please rate useful posts.

Alex - Thanks for the response. This makes sense to me. I am curious that I have this config in many switches but this is the first time I am running into problems

Hi,

Sorry for this delayed response.
I wanted to check in my lab today.

On my switch I have shut/noshut int fas 0/25

The phone boots on the DATA vlan 500, it then switches to
the VOICE vlan 501 and re-registers OK

The MAC table shows the MAC address x 2


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
500    0016.caf2.750a    DYNAMIC     Fa0/25
501    0016.caf2.750a    DYNAMIC     Fa0/25
Total Mac Addresses for this criterion: 2
Desk_2960#

5 Minutes later after the MAC aging time has expired (300 seconds)
The MAC count reduces to 1

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
501    0016.caf2.750a    DYNAMIC     Fa0/25
Total Mac Addresses for this criterion: 1
Desk_2960#


So if you had a PC in the back of the PHONE too then you would see
3 MAC adds for 5 mins after reboot then reducing to to 2.

MAC security therefore need need to be set to allow MAX 3 addresss to

alllow reboots from scratch

I can only suggest that you MAC address security was added after the phones were working.

HTH
Alex
please rate useful posts.

Regards, Alex. Please rate useful posts.

Alex - Thanks for labbing that up.

Brian

Hi Guru's:

 

I have a follow question from this post!

 

Pretend you have updated the port security to 3 and successfully connected a laptop to the phone, then imagine you have 2 phones at this site with the exact same switchport settings (and both phones have PC's connected to the back of the phone).

 

Now pretend that you unplug the laptops from each phone and connected them to the OTHER phone.  The Laptop will NEVER get a network connection because the switchport security settings 'holds' the MAC address on the switchport and becuase the switchport never goes to a 'down/down' status (becuase the phone is still connected) the switch retains the MAC address on that switchport and gives a port security violation when the laptop connects to the other phone.  the only way to 'fix' this problem is to unplug both phones (then the switch 'lets go' of the MAC Address) and allows the Laptops to connect.

 

How can we get around this problem so that it automatically allows the Laptops to move around and plug into the back of different phones??  We have tried aging the port security, but this has caused issues with the phones dropping off too (and wiping their config).  the Cisco device is a 3850 running 16.6.4

 

Thanks in Advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco