I've got C3750 with IOS C3750-ADVIPSERVICESK9-M, Version 12.2(37)SE running.
There's PC + IP Phone connected to access-port and I need to enable Port Security feature to authorize them. According to âCatalyst 3750 Switch Software Configuration Guide, 12.2(37)SEâ document I need to allow 2 MAC-addresses on this port: 1 for PC (access VLAN 113) and 1 for IP Phone (voice VLAN 12).
There is my default port config:
switchport access vlan 113
switchport mode access
switchport voice vlan 12
switchport port-security maximum 2
switchport port-security violation protect
switchport port-security mac-address sticky
After connecting PC + IP Phone to this port both devices are added to switch MAC-address table:
Vlan Mac Address Type Ports
---- ----------- -------- -----
113 0001.6c05.57b3 STATIC Fa4/0/46 (Ð Ð¡)
113 000d.6570.7e7a STATIC Fa4/0/46 (IP Phone)
For some reason IP Phone belongs to access VLAN 113, not to voice VLAN 12. I've got 2 strings added in port config:
It being known that if after correct device determining switchport port-security maximum changes for 2 it all goes work fine.
So the question is:why only after switchport port-security maximum set for 4 IP Phone determines correctly? Setting port-security maximum 2 doesn't works fine regardless of the fact that Configuration Guide advise to use 2 MAC-addresses.
Interesting. Don't be surprised if the documentation is not 100% correct. What I expect is happening is that the phone initially comes up on the native VLAN (113). This would put a phone entry in the MAC table. Using CDP it talks to the switch to identify the voice vlan, then creates an 802.1q trunk and switches over to the new vlan, creating another MAC address entry on the port.
Because there's already a PC there, the second phone MAC entry is not allowed, so it doesn't change vlans. This sounds like an unintended feature (i.e. bug), as a result of the way the voice vlan negotiation works with port security.
I haven't tested this or anything. Do you see log entries ("show log" output) showing port security violations when you're set to only 2 MACs?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...