I've been having an argument with a "federal employee" about VOIP issues, MAC address port security, etc. So here's the scenario:

We use Cisco phones, with PC's plugged into their "trunk" ports, for network connectivity. Each switchport is configured for a voice vlan and an access vlan.

We use port-security on each switch, coupled with switchport port-security, mac sticky, etc.

About 2 years ago, the common practice was to configure 3 mac addresses on each port. The reason was that the phone would populate both the data and voice vlan when it was configuring, and we still had to connect with the attached PC. But then, there was a directive that said to change this because this had been corrected.

So, currently , we were configuring security as:

switchport port-security

switchport port-security mac-address sticky

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

I'm not the big voice guy. But as I understand the process, the phone will power on. The switch, through cdp neighbor, will give the phone it's voice vlan assignment. The phone will then start tagging packets and start the dhcp process and start registering with CUCM. But it no longer does the double mac address thing.

The argument by this "federal employee" is based on the old assumptions with double tagging by the phone. But I know this was resolved in a newer IOS.

Can someone please steer me to the article that draws this out?