Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

query on sh mac-add

Hi,

We have IP phones connected to the 3750 switches and here is the configuration of one of the port fa2/0/27

interface FastEthernet2/0/27

switchport access vlan 217

switchport mode access

switchport voice vlan 192

speed 100

duplex full

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

Can please explain why when I did a sh mac-add int fa2/0/27, the IP phone mac add is in both the voice and data vlan (see below)?

sh mac-address-table int fa 2/0/27

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

217 000a.b81a.583b DYNAMIC Fa2/0/27

217 0014.85ce.e770 DYNAMIC Fa2/0/27

192 000a.b81a.583b DYNAMIC Fa2/0/27

Total Mac Addresses for this criterion: 3

TIA.

PF

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: query on sh mac-add

Hi PF,

No it will not make any performance issues. Once port security is implemented as per the bug details the mac address will only be learned in voice vlan. That is correct that implementing te por secuity is masking the problem but actually it is not a problem even if ip phone mac address is learned in voice as well as data vlan. All traffic or ip phone will always remain in voice vlan only.

The reason it is asking to enter secure mac address is because if you do not enter ip phone mac address and just give the port security max mac count any other machine can also plug in and if secure mac address is also entered then it will bind the por with ip phone mac address.

Hope I am able to explain.

Regards,

Ankur

*Pls rate all helpfull post

17 REPLIES
Cisco Employee

Re: query on sh mac-add

Hi PF,

This is an expected behavior. The switch does not differentiate data packets vs control packets (e.g. CDP) when learning MAC addresses.

The IP phone continues to send untagged CDP packets on access vlan even after it learns the voice vlan.That is why the entry on data vlan does not age out. If you clear the MAC address table, the IP phone address will be re-learned on the data vlan when we receive the next CDP packet. IP Phones will also send tagged packets on the voice vlan. So the IP phone's address will also be learned on the voice vlan.

There was also a bug filed for this behavior which is junked.

CSCeb59238

HTH

Ankur

*Pls rate all helpfull post

Re: query on sh mac-add

Ankur, I remeber being told that when you put port security on a phone port, you should allow for three MAC addresses: one for the phone, one for the PC, and one for the internal mini-switch. Do I understand from this that the phone and the switch are actually the same MAC address? As far as port security is concerned, does this count as three addresses because it is on different VLANs.

Kevin Dorrell

Luxembourg

Cisco Employee

Re: query on sh mac-add

Hi Kevin,

Yes you are correct. Basically the reason it ask to configure 3 mac address is presuming 2 mac addresses will be learned from the ip phone one on voice vlan and one on data vlan and the third can be variable because you can connect more than 1 machine, connecting a switch instead of machine and then connecting multiple machines on that switch.

Regards,

Ankur

Re: query on sh mac-add

HI Kevin,

On my network, VoIP & PC are both connected to same switchport. When I assign port security, with single mac-add allowed on port, the port shutdown which is obvious. but when I allow 2 mac's, then things work perfectly.

The question is, why allow 3 mac's when practically its working with 2 mac's allowed.

Cisco Employee

Re: query on sh mac-add

Hi Narayan,

Which switch model the ip phones are connected? Also can you post the "sh run int "?

Regards,

Ankur

Re: query on sh mac-add

Its 2950 & 2960 switch.

Re: query on sh mac-add

Do you see the three MAC addresses in the show mac-address-table like in the orginal posting?

I am not yet 100% clear about this behavior. I wonder if there are different models of phone that behave in different ways.

I am relying on you guys to tell me about it because I have no Cisco phones to get direct experience from.

Kevin Dorrell

Luxembourg

Community Member

Re: query on sh mac-add

Hi all,

Thanks very much for the reply. We use 3770 switches. Here's the result from my testing.

If port-security is implemented, with max over 2 (ie 10), it will only learned 2 mac address, PC mac on the data vlan and phone mac on the voice vlan. If a max of 2 is specified, it will work.

If NO port-security is implemented, it will learned 3 mac address, pc mac on the data vlan and phone mac on the data vlan and voice vlan (as posted earlier).

The behavior is quite strange. Can you explain this?

Thanks.

PF

Cisco Employee

Re: query on sh mac-add

Hi PF/Narayana,

Can you confirm me which release are you running on your switches. It will be great if you can update the release which you have with the exact model number of your switch and ip phones. I just had a glance and seems that some behavior is been changed in some latest releases.

Once I get an update from you people I will try to get the exact behavior.

Regards,

Ankur

Cisco Employee

Re: query on sh mac-add

Hi PF/Narayana/Kevin,

I found something which may be helpfull for all

Bug ID : CSCea80105

When a Cisco IP Phone is connected to the switch, its MAC address is learned on both the port VLAN identification (PVID) and the voice VLAN identification (VVID). However, when the dynamic MAC addresses are either manually or automatically removed due to a topology change or enabling or disabling the port security or IEEE 802.1x feature, the Cisco IP Phone's MAC address will only be re-learned on the VVID. This occurs when the Cisco IP Phone is connected to a Cisco Catalyst 2970, 3560, or 3750 and the Cisco IP Phone is using software without the fix for Bug: CSCed84163.

When configured for a Voice VLAN, the phone sends untagged Cisco Discovery Protocol (CDP) packets and tagged voice packets. All frames from any devices connected to the Cisco IP Phone are sent tagged with the access VLAN ID. Catalyst 2970, 3560, and 3750 switches do not populate the secure address-table with the source MAC address from CDP packets.

The workaround is that when using Cisco IP Phones with the fix for CSCed84163 and port-security configured on the switchport, configure switches with one secure address for the phone, plus additional MAC addresses for any devices connected to the Cisco IP Phone.

HTH

Ankur

*Pls rate all helpfull post

Community Member

Re: query on sh mac-add

Ankur,

The model number is WS-C3750-48PS-S and the version is 12.2(25)SEE2.

Thanks.

PF

Cisco Employee

Re: query on sh mac-add

Hi PF,

My last post should answer/explain the behvaior what you observed.

HTH

Ankur

Community Member

Re: query on sh mac-add

Ankur,

If you leave it the way it is (no port-security implemented), mac-add of the IP phone on the voice vlan and the data vlan, wil this cause any performance issue?

With port security implemented, mac-add of the IP phone only appears on the voice vlan. Does this mean implementing the port security is masking the problem?? Is configuring SECURE MAC necessary as mentioned in the workaround?

I am just trying to understand this more.

Thanks.

PF

Cisco Employee

Re: query on sh mac-add

Hi PF,

No it will not make any performance issues. Once port security is implemented as per the bug details the mac address will only be learned in voice vlan. That is correct that implementing te por secuity is masking the problem but actually it is not a problem even if ip phone mac address is learned in voice as well as data vlan. All traffic or ip phone will always remain in voice vlan only.

The reason it is asking to enter secure mac address is because if you do not enter ip phone mac address and just give the port security max mac count any other machine can also plug in and if secure mac address is also entered then it will bind the por with ip phone mac address.

Hope I am able to explain.

Regards,

Ankur

*Pls rate all helpfull post

Community Member

Re: query on sh mac-add

Thanks very much Ankur.

PF

Silver

Re: query on sh mac-add

Hello Guys,

Even without port-security I am seeing this behavior where the phone MAC is learned on two VLANs, the data and voice. THe main problem with this is that if you do packet capture on the PC connected to the phone you will see voice traffic reaching the PC. THis defeats the concept of having layer 2 security with voice vlan and data vlan.

If you issue the command show mac-address-table | inc "phone mac" multiple times, you will see the mac hoping between data, then voice, then data and voice, then disappaers and again goes the cycle every two seconds. THis is causing the switch to flood the traffic sometimes on the data and voice VLAN. That's why the PC see some voice packets such as skinny keep alives and skinny control messages on it's port destined to phones in the voice VLAN.

I opened a case with Cisco and they said it is normal behavior!!! However, where is the security if some traffic is getting flooded!!! I have tried the latest IOS version and same behavior.

Port security as explained in the post hides this behavior and my customer doesn't want to enable port security in the meantime!

Please advise if there is a possible solution to this security breach and flooding,

Regards,

Silver

Re: query on sh mac-add

Hello Guys,

Each phases of the cycle explained above happens every twenty seconds and not two, a typo mistake.

Thanks in advance for any clarifications,

524
Views
0
Helpful
17
Replies
CreatePlease to create content