URGENT HELP: Port security "maximum macs" with Avaya Phone

kfarrington · ‎10-18-2006

I am really sorry to head the thred like this, but I am having issues when I configure the switchport below which has a HP PC pluged into the back of an Avaya Phone into the switchport.

Config on 3750 SMI Switch

!

interface FastEthernet1/0/x

description New Desktop Name

switchport access vlan 600

switchport trunk encapsulation dot1q

switchport trunk native vlan 600

switchport trunk allowed vlan 600,601

switchport mode trunk

switchport nonegotiate

service-policy input access_ingress

speed 100

duplex full

priority-queue out

spanning-tree portfast

switchport port-security

switchport port-security maximum 2 (IP Phone and desktop)

switchport port-security mac-address <Mac of IP Phone>

switchport port-security mac-address <Mac of IP Desktop>

!

Now If I configure this while eveything is on, it works fine. Then I try and shut the switchport and re-open it, just to test, and the switchport goes into error-dis

Is this a problem with the "maximum" and should I change this to 3, as a good workmate says it may use some internal switchport mac into the equation?

I just put this out to all, to see if this is a common experience also.

Many thx indeed,

Ken

Aaron Harrison · ‎10-19-2006

Hi Ken

Your problem here is related (I think) to the way the Avaya system starts up .

Cisco phones receive a CDP message telling them which VLAN to use, and boot straight into that VLAN.

Avaya phones on the other hand do not listen to the CDP, so they boot into the native/access VLAN and get DHCP IP and the options configured. One of these options gives them a VLAN ID, and they then reboot into the correct intended voice VLAN.

I believe the port-security remembers MAC addresses in the voice vlan and the access vlan seperately - i.e. once in the voice-vlan it will appear in the config with voice-vlan after it.

A note from the 3750 manual:

*******************************************

Note When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

*******************************************

Secondly, I'd suggest a different port config:

description New Desktop Name

switchport mode access

spanning-tree portfast

switchport access vlan 600

switchport voice vlan 601

switchport nonegotiate

service-policy input access_ingress

priority-queue out

switchport port-security

switchport port-security maximum 3

Setting it as an access-port with voice vlan leads to a tidier config (no need for vlan-allowed lists) and ensures that portfast still works - it won't be working with your config. if you configure a trunk, you need spanning-tree portfast trunk to allow portfast to still occur.

Also unless you have your phones configured for 100full you will have a duplex mismatch on the port - i think like Cisco you would have to set this on every handset which is usually not something that people do.

Regards

Aaron

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

kfarrington · ‎10-19-2006

Hi Aaron,

This is most helpful indeed. Trying to rate post :) but not working :) will try later

Are there any other Avaya Funnies, and have lots of people experienced this issue?

Many kind regards indeed,

Ken