Hi,

amir.glibic · ‎03-01-2016

Hi,

we have prepared the customers network for a VOIP solution with Avaya-phones.

A few days ago the first test devices came and after connecting them, we have the issue that the MAC is visible in both VLANs and is not timing out.

Everything works fine, but we are planning to implement NAC/802.1x in the next 2-3 months, so I'm afraid that this could be an issue then. Here's the config:

interface GigabitEthernet1/0/48
switchport access vlan 621
switchport mode access
switchport voice vlan 679
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable

Phone only:

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
621    a425.1bc5.2bf6    DYNAMIC     Gi1/0/48
679    a425.1bc5.2bf6    DYNAMIC     Gi1/0/48
Total Mac Addresses for this criterion: 2

Phone + PC:

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
621    0023.248d.9c82    DYNAMIC     Gi1/0/41
621    f873.a2f4.40a5    DYNAMIC     Gi1/0/41
679    f873.a2f4.40a5    DYNAMIC     Gi1/0/41
Total Mac Addresses for this criterion: 3

I did some research and found different descriptions for this behavior. As example a statement in an old thread:

“In the older code versions (If I remember it right pre-12.2(44)SE), the switch did not remove the MAC from the data

vlan. Post 12.2(44)SE, they made a change to the code so the switch removes

the MAC from the MAC address table (from data vlan) as soon as the IP Phone

switches to voice vlan. I did see a bug filed for 12.2(50)SE again with the

same symptoms, so not sure if it is completely fixed. But it is not of a big

concern unless you are configuring port-security and trying to tie down the

number of MAC entries per interface.”

Some say that this is normal behavior after booting the phone, but should time out after some time.

A partner company is running 12.2.(55) SE with Avaya-phones and for me, their behavior is "normal":


Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
101    001b.4f15.063d    STATIC      Gi1/0/1 
11    5c26.0a0c.8118    STATIC      Gi1/0/1 
Total Mac Addresses for this criterion: 2

We have C3650-48FS-L, running IOS XE 3.3.5, so we can't tell, if this issue exists in this firmware also. Release notes don't say anything about known or resolved issues up to 3.6.x

I have read that this has impact on Port-Security, so that you always have to set the max MAC addresses to 3 when connecting IP-Phones.

But I don't know if it will have impact on 802.1x configuration/authentication.

Anyone familiar with a similar case?

BR

jabritt · ‎03-08-2016

The phone ports are technically considered trunk ports. ( since the phone serves both data and voice vlans). Trunks mac-address is in each mac-address table for VLANS they serve.

amir.glibic · ‎03-09-2016

Hi,

thanks for the reply. But why isn't the same behavior occurring at the partner company?

Or on devices of 2 other customers:

Vlan Mac Address Type Ports
---- ----------- -------- -----
 1 3464.a90b.ba52 DYNAMIC Gi0/9
 44 0004.1331.dbcc DYNAMIC Gi0/9

Vlan Mac Address Type Ports
---- ----------- -------- -----
 10 2c59.e500.615c DYNAMIC Gi1/0/30
 44 001a.e858.59a1 DYNAMIC Gi1/0/30

The phones are also trunking the connection to the PC, but their MAC is definitely not showing up in both VLANs. So I can't believe that this is the normal behavior - except it is different in IOS XE? Because all other customers have normal IOS.

BR

jabritt · ‎03-09-2016

Here is an example from internal documents and i apologize for the format look at the very last line:

14-4

Catalyst 2960 Switch Software Configuration Guide

OL-8603-04

Chapter 14 Configuring Voice VLAN

Configuring Voice VLAN

–

The Cisco IP Phone uses IEEE 802.1p frame

s, and the device

uses untagged frames.

–

The Cisco IP Phone uses untagged frame

s, and the device uses IEEE 802.1p frames.

–

The Cisco IP Phone uses IEEE 802.1Q frames, an

d the voice VLAN is the same as the access

VLAN.

•

The Cisco IP Phone and a device attached to the p

hone cannot communicate if

they are in the same

VLAN and subnet but use different frame types beca

use traffic in the same subnet is not routed

(routing would eliminate the frame type difference).

•

You cannot configure static secure MAC addresses in the voice VLAN.

•

Voice VLAN ports can also be these port types:

–

Dynamic access port.

See the

“Configuring Dynamic-Access Ports on VMPS Clients” section

on page 12-26

for more information.

–

IEEE 802.1x authenti

cated port. See the

“Configuring IEEE 802.1x Au

thentication” section on

page 9-22

for more information.

Note

If you enable IEEE 802.1x on an access port

on which a voice VLAN is configured and

to which a Cisco IP Phone is connected, th

e phone loses connectivity to the switch for

up to 30 seconds.

–

Protected port. See the

“Configuring Protected Ports” section on page 19-5

for more

information.

–

A source or destination port for a SPAN or RSPAN session.

–

Secure port. See the

“Configuring Port Security” section on page 19-8

for more information.

Note

When you enable port secur

ity on an interface that is al

so configured with a voice

VLAN, you must set the maximum allowed secure

addresses on the port to two plus the

maximum number of secure addresses allo

wed on the access VLAN. When the port is

connected to a Cisco IP Phone, the phone re

quires up to two MAC addresses. The phone

address is learned on the vo

ice VLAN and might also be

learned on the access VLAN.

Connecting a PC to the phone requires additional MAC addresses

Maybe there's no pc on the back of the phone, maybe there software or configuration is slighty different, but that's how it works.

mjbright757 · ‎07-29-2016

We have the same issue using Mitel 5330IP phones on Cisco 2960X on 15.2(2)E4 software. IP phones show up in both vlans on some ports, but others show just the voice vlan. Using Port-Security, we have to set the max MAC addresses to 3 as well to resolve this.

We've started deploying 802.1x at sites. With the Mitel phones, as soon as the MAC address of the phone shows up in both vlans, the port shuts down into an err-disabled state. The phones are 802.1x capable, but I haven't had any luck having the them authenticate. From what I've read online, MAB is the only solution, but I have yet to test this.

We have 2 sites that have Cisco IP phones. With these I've read that the phone and switch use CDP and the switch moves the phone into the voice vlan. This works, but every now and then I'll see something weird happen. What happens is the phone shows up in voice vlan and then fails 802.1x authentication and gets moved into the failed authorized vlan and the phone then shows "Phone Registering" on the screen.

Have either of you seen something like this with the Cisco phones?

BR, have you had any luck in your 802.1X deployment?

Thanks,

Jackson

mairaj1978 · ‎03-28-2019

We have the same issue with Mitel 6930 IP phones 2690x swithes running Version 15.2(2)E6 and some of the switch port learning the phone MAC in both voice and data vlan.

Do we know the solution please?

Regards,

Muhammad

torikinder · ‎11-28-2022

I am having this same issue with a Cisco 8811. For me the phone is displaying "Verify Network Connection" and is not operational. I have it on DHCP and it pulls an IP, can ping it etc. But it is showing both data and voice vlan in the mac address table like the others.

When the mac-address table is cleared, it will show in our voice vlan for around 30 seconds before showing both vlans for the mac.

Still looking for a fix to this after a week without having to find a workaround.

v/r

Riazi

Marco Aresu · ‎03-16-2017

Hi,

did you find a solution?

thanks

Marco

bigkeoni64 · ‎07-25-2022

I am experiencing this same issue on my switches. Maybe it is a non-issue?

MAC for the phone shows up in both voice and data VLANs.

1 32 WS-C3850-24U 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL

Phone MAC address in voice and data VLAN -> possible 802.1x issue?