Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port Security static entries timing out

I manage a large switched campus network with just over 500 Cisco VoIP phones.  We have been having problems keeping track of all of the phones and would like to lock them down to a specific port on a specific switch.  The goal is to have them work in one place and one place only.  The most effective way I have to accomplish this is using port security.  Unfortunately port security will also lock any computer attached to the phone data port which is not my intention.  Previously, I was using port security to limit the secure static addresses on ports to no more than 3 and had static aging enabled to allow computers to move around.  From my CCNA studies I remember that that you should be able to do static + dynamic port security.  That if you only specify one mac address but allow more, the port will continue to learn additional mac addresses upto the max specified and that only the ones learned dynamically will age.  This does not seem to be the case.  If I leave static aging on it not only ages the addresses learned dynamically but also the static one I hard coded on the port.  Does anyone know how I can secure the voice vlan but leave the access vlan to age?  FYI, we do not have access to the router or the call manager.

This is the configureation I am using on my ports:

interface FastEthernet0/4
description ##########
switchport access vlan 100
switchport mode access
switchport voice vlan 200
switchport port-security maximum 2
switchport port-security maximum 1 vlan voice
switchport port-security

switchport port-security aging time 1
switchport port-security violation protect
switchport port-security aging static
switchport port-security mac-address 0017.5a95.d48a vlan voice
no mdix auto
spanning-tree portfast

The switch I am using in the example above is an 8 port 2960 running 12.2(46)SE C2960-Lanbase-M