04-10-2014 10:57 AM - edited 03-16-2019 10:26 PM
Hello, Our VoIP phones with PC connected trip port security because phone registers it's MAC in the Access VLAN before moving into the Voice VLAN.
Please let us know the proper config to make this work and allow only 1 MAC in the Access VLAN!
Cisco 3750x-48P with 15.0(2)SE4 IOS
Nortel 1120E VoIP phone.
Current port security config:
interface GigabitEthernet1/0/13
switchport access vlan 205
switchport mode access
switchport voice vlan 411
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
powerinline consumption 8000
etc.
04-10-2014 04:37 PM
Hi,
Just as a test can you remove the port security from an interface.
!
int g1/0/13
shut
no switchport port-security maximum 2
no switchport port-security maximum 1 vlan access
no switchport port-security maximum 1 vlan voice
no switchport port-security
no switchport port-security mac-address sticky
no shut
!
Now look at the mac addresses that are learned on g1/0/13
once the phone has booted and the pc is online
show mac address-table dyn int g1/0/13
Iam sure you will see 3 addresses
2 - the PC & phone in the access vlan
1 - the phone in the voice vlan.
For me that means you have to apply your security as:-
!
int g1/0/13
shut
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
no shut
!
Hope this helps
Regards
Alex
04-15-2014 12:40 PM
I figured out the issue.
The VoIP phones jump into the access VLAN just long enough to trip port security "IF" the VoIP MAC isn't already known by the interface config.
However, once the VoIP MAC is part of the interface config, things work as expected, and the phone MAC doesn't go into the access VLAN even after rebooting switch with saved config and/or phone.
Removing the VoIP MAC for the interface config with
clear port-security sticky interface
or
clear port-security all
will make the switch have to relearn the VoIP MAC and it will go into the access VLAN for a few seconds and trip port security.
So don't use those commands to clear port security. Use this command after finding the MAC address that caused the port security error in the switch log:
clear port-security sticky address xxxx.xxxx.xxxx
Anytime a phone is connected to a port for the very first time, let the phone boot up before connecting the PC so that the phone MAC jumps into the access VLAN and gets moved to the voice VLAN before the PC MAC registers in the access VLAN.
Like I said, once the VoIP MAC is part of the interface config, it doesn't matter if the PC is connected to the phone anymore. Things work as expected.
:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide