07-25-2008 05:12 AM - edited 03-03-2019 10:54 PM
Hi everyone!
I've got C3750 with IOS C3750-ADVIPSERVICESK9-M, Version 12.2(37)SE running.
There's PC + IP Phone connected to access-port and I need to enable Port Security feature to authorize them. According to âCatalyst 3750 Switch Software Configuration Guide, 12.2(37)SEâ document I need to allow 2 MAC-addresses on this port: 1 for PC (access VLAN 113) and 1 for IP Phone (voice VLAN 12).
There is my default port config:
interface FastEthernet4/0/46
switchport access vlan 113
switchport mode access
switchport voice vlan 12
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
end
After connecting PC + IP Phone to this port both devices are added to switch MAC-address table:
Vlan Mac Address Type Ports
---- ----------- -------- -----
113 0001.6c05.57b3 STATIC Fa4/0/46 (РС)
113 000d.6570.7e7a STATIC Fa4/0/46 (IP Phone)
For some reason IP Phone belongs to access VLAN 113, not to voice VLAN 12. I've got 2 strings added in port config:
switchport port-security mac-address sticky 000d.6570.7e7a
switchport port-security mac-address sticky 0001.6c05.57b3
However if I change switchport port-security maximum for 4 then both devices determines correctly and their MAC-addresses belongs to proper VLAN:
Vlan Mac Address Type Ports
---- ----------- -------- -----
12 000d.6570.7e7a STATIC Fa4/0/46
113 0001.6c05.57b3 STATIC Fa4/0/46
And port config string looks like that:
switchport port-security mac-address sticky 000d.6570.7e7a vlan voice
switchport port-security mac-address sticky 0001.6c05.57b3
It being known that if after correct device determining switchport port-security maximum changes for 2 it all goes work fine.
So the question is:why only after switchport port-security maximum set for 4 IP Phone determines correctly? Setting port-security maximum 2 doesn't works fine regardless of the fact that Configuration Guide advise to use 2 MAC-addresses.
Sorry for my English and thanks for help!
Solved! Go to Solution.
07-25-2008 05:40 AM
During the initial connection, the IP-Phone will use the 'access-vlan' in your case Vlan 113 to obtain its information from DHCP.
Once that information is obtained, it switches to the voice Vlan.
Port-Security disables the ability to do that hence it's recommended for IP-Phones to have Port-Security set to 3.
__
Edison.
07-25-2008 05:40 AM
During the initial connection, the IP-Phone will use the 'access-vlan' in your case Vlan 113 to obtain its information from DHCP.
Once that information is obtained, it switches to the voice Vlan.
Port-Security disables the ability to do that hence it's recommended for IP-Phones to have Port-Security set to 3.
__
Edison.
07-25-2008 05:43 AM
Interesting. Don't be surprised if the documentation is not 100% correct. What I expect is happening is that the phone initially comes up on the native VLAN (113). This would put a phone entry in the MAC table. Using CDP it talks to the switch to identify the voice vlan, then creates an 802.1q trunk and switches over to the new vlan, creating another MAC address entry on the port.
Because there's already a PC there, the second phone MAC entry is not allowed, so it doesn't change vlans. This sounds like an unintended feature (i.e. bug), as a result of the way the voice vlan negotiation works with port security.
I haven't tested this or anything. Do you see log entries ("show log" output) showing port security violations when you're set to only 2 MACs?
Regards,
R.
08-24-2008 05:33 AM
the best thing is,
1) Remove the port security on the port --test if both phone and pc works
2) if yes then take the sh mac-add int fas 0/X and you should be getting two mac and then assign the configure the Port security
that should solve the problem ..
Regares
srini
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide