07-22-2010 04:04 AM - edited 03-15-2019 11:51 PM
Hi all,
I've been troubleshooting this issue for last week, we have 5x WS-C3750-48P switches in a stack with
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(52)SE
and 7941 IP Phones with Firwamware: TERM41.7-0-3-0S
Have tried following firmware as well, with same result: SCCP41.8-4-3S
---------------------------------------------------------------------------------------------
Switchport configuration:
interface FastEthernet5/0/22
description DESKTOP & VOIP PORT
switchport access vlan 303
switchport mode access
switchport voice vlan 4
switchport port-security
switchport port-security maximum 2
switchport port-security aging time 5
switchport port-security violation protect
ip access-group 100 in
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
no mdix auto
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
spanning-tree portfast
---------------------------------------------------------------------------------------------
Problem description:
For some reason, once in a while the switch sees the MAC address of the phone in both VLAN's, data and voice.
like this:
MOR-SBE-ASW03#show port-security interface f5/0/22 address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
303 001e.135c.efe4 SecureDynamic Fa5/0/22 5
303 0026.b9ce.a499 SecureDynamic Fa5/0/22 5
------------------------------------------------------------------------
Total Addresses: 2
And therefore the phone can't communicate with the CallManager, therefore trying to re-register.
But it can't re-register until the Aging time on the switchport ages out the MAC on vlan 303 (data), and if we're lucky then it learns it on VLAN 4 just in time to register the phone.
I can't reproduce the problem. It happens quite a few times per day.
It does not happen to all the phones on this switch. Only to some of them.
Have done following troubleshooting steps:
1) If I remove port-security it works fine.
2) If I put port-security violation mode shutdown/restrict, it works fine too. It seems to happen with only protect mode.
3) It does not happen to all phones.
--------------------------------------------------------------------------
I do not understand why the switch learns the phone's MAC in a Data VLAN 303. It should appear only in voice vlan.
Will appreciate any help,
Thanks,
George
07-22-2010 06:45 AM
Just to add more thoughts.
port-security should be triggered only if MAC addresses exceed MAX defined per-port.
So if it sees IP Phones MAC address twice, say in Access VLAN and Data VLAN it should still consider it as only 1 MAC address +1 PC MAC address and should not start protecting the port.
But for some reason, this does not happen with violation action: "protect".
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide