VOIP and port security with mac sticky not working as expected using max 1 vlan access

cisco4lct · ‎04-10-2014

Hello, Our VoIP phones with PC connected trip port security because phone registers it's MAC in the Access VLAN before moving into the Voice VLAN.

Please let us know the proper config to make this work and allow only 1 MAC in the Access VLAN!

Cisco 3750x-48P with 15.0(2)SE4 IOS

Nortel 1120E VoIP phone.

Current port security config:

interface GigabitEthernet1/0/13

switchport access vlan 205

switchport mode access

switchport voice vlan 411

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security mac-address sticky

powerinline consumption 8000

etc.

acampbell · ‎04-10-2014

Hi,

Just as a test can you remove the port security from an interface.

!
int g1/0/13
shut
no switchport port-security maximum 2
no switchport port-security maximum 1 vlan access
no switchport port-security maximum 1 vlan voice
no switchport port-security
no switchport port-security mac-address sticky
no shut
!

Now look at the mac addresses that are learned on g1/0/13
once the phone has booted and the pc is online

show mac address-table dyn int g1/0/13

Iam sure you will see 3 addresses
2 - the PC & phone in the access vlan
1 - the phone in the voice vlan.

For me that means you have to apply your security as:-

!
int g1/0/13
shut
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security mac-address sticky
no shut
!

Hope this helps
Regards
Alex

Regards, Alex. Please rate useful posts.

cisco4lct · ‎04-15-2014

I figured out the issue.

The VoIP phones jump into the access VLAN just long enough to trip port security "IF" the VoIP MAC isn't already known by the interface config.

However, once the VoIP MAC is part of the interface config, things work as expected, and the phone MAC doesn't go into the access VLAN even after rebooting switch with saved config and/or phone.

Removing the VoIP MAC for the interface config with

clear port-security sticky interface

or

clear port-security all

will make the switch have to relearn the VoIP MAC and it will go into the access VLAN for a few seconds and trip port security.

So don't use those commands to clear port security. Use this command after finding the MAC address that caused the port security error in the switch log:

clear port-security sticky address xxxx.xxxx.xxxx

Anytime a phone is connected to a port for the very first time, let the phone boot up before connecting the PC so that the phone MAC jumps into the access VLAN and gets moved to the voice VLAN before the PC MAC registers in the access VLAN.

Like I said, once the VoIP MAC is part of the interface config, it doesn't matter if the PC is connected to the phone anymore. Things work as expected.

:)