We have this problem also.

NormMuelleman · ‎07-10-2013

I've been having an argument with a "federal employee" about VOIP issues, MAC address port security, etc. So here's the scenario:

We use Cisco phones, with PC's plugged into their "trunk" ports, for network connectivity. Each switchport is configured for a voice vlan and an access vlan.

We use port-security on each switch, coupled with switchport port-security, mac sticky, etc.

About 2 years ago, the common practice was to configure 3 mac addresses on each port. The reason was that the phone would populate both the data and voice vlan when it was configuring, and we still had to connect with the attached PC. But then, there was a directive that said to change this because this had been corrected.

So, currently , we were configuring security as:

switchport port-security

switchport port-security mac-address sticky

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

I'm not the big voice guy. But as I understand the process, the phone will power on. The switch, through cdp neighbor, will give the phone it's voice vlan assignment. The phone will then start tagging packets and start the dhcp process and start registering with CUCM. But it no longer does the double mac address thing.

The argument by this "federal employee" is based on the old assumptions with double tagging by the phone. But I know this was resolved in a newer IOS.

Can someone please steer me to the article that draws this out?

cisco4lct · ‎04-10-2014

We have this problem also. Does anyone have an answer?

We're using cisco 3750x with IOS version 15.0(2)SE4 and Nortel 1120E VoIP phones.

During startup the Phone with PC attached registers it's MAC in the access vlan before moving to voice vlan, thus tripping port security on the access vlan.

I'm a federal employee as well, we need this resolved ASAP or should I create a TAC case.

Thanks,

Larry

Cisco VOIP and port security