01-04-2012 09:44 AM - edited 03-07-2019 04:10 AM
This setup has been in place for some time; no new PC's or phones, no changes to switch. Using Avaya IP phones, 2960 POE switch (12.2.44SE6 since upgraded)
Voice VLAN 146 ; PC Vlan 140, below is a typical port config:
interface FastEthernet0/2
switchport access vlan 140
switchport mode access
switchport voice vlan 146
switchport port-security maximum 2
switchport port-security
switchport port-security violation protect
spanning-tree portfast
Port security was never triggered.
Started last week with one phone, a few more yesterday, couldn't contact the DHCP server . Upon review of the mac address table on the switch both devices were assigned to vlan 140. I reset the values on a few phones, re-configured them for VLAN 146 but still did not work.
Removed port security from the ports and the phone jumped onto vlan 146 and now work.
This is a configuration I have in use in many places, any ideas why this would have happened ?
Solved! Go to Solution.
01-09-2012 05:46 AM
Hi,
Sorry for this delayed response.
I wanted to check in my lab today.
On my switch I have shut/noshut int fas 0/25
The phone boots on the DATA vlan 500, it then switches to
the VOICE vlan 501 and re-registers OK
The MAC table shows the MAC address x 2
Vlan Mac Address Type Ports
---- ----------- -------- -----
500 0016.caf2.750a DYNAMIC Fa0/25
501 0016.caf2.750a DYNAMIC Fa0/25
Total Mac Addresses for this criterion: 2
Desk_2960#
5 Minutes later after the MAC aging time has expired (300 seconds)
The MAC count reduces to 1
Vlan Mac Address Type Ports
---- ----------- -------- -----
501 0016.caf2.750a DYNAMIC Fa0/25
Total Mac Addresses for this criterion: 1
Desk_2960#
So if you had a PC in the back of the PHONE too then you would see
3 MAC adds for 5 mins after reboot then reducing to to 2.
MAC security therefore need need to be set to allow MAX 3 addresss to
alllow reboots from scratch
I can only suggest that you MAC address security was added after the phones were working.
HTH
Alex
please rate useful posts.
01-04-2012 10:07 AM
Hi,
Avaya/Nortel phones boot (DHCP requests) to the DATA Vlan 1st then they move to Voice Vlan
This is normal if option 191 VLAN discovery is set.
The phone does not drop the post on vlan switching
Try changing
switchport port-security maximum 2
to
switchport port-security maximum 3
Regards
Alex
01-05-2012 08:12 AM
Alex - Thanks for the response. This makes sense to me. I am curious that I have this config in many switches but this is the first time I am running into problems
01-09-2012 05:46 AM
Hi,
Sorry for this delayed response.
I wanted to check in my lab today.
On my switch I have shut/noshut int fas 0/25
The phone boots on the DATA vlan 500, it then switches to
the VOICE vlan 501 and re-registers OK
The MAC table shows the MAC address x 2
Vlan Mac Address Type Ports
---- ----------- -------- -----
500 0016.caf2.750a DYNAMIC Fa0/25
501 0016.caf2.750a DYNAMIC Fa0/25
Total Mac Addresses for this criterion: 2
Desk_2960#
5 Minutes later after the MAC aging time has expired (300 seconds)
The MAC count reduces to 1
Vlan Mac Address Type Ports
---- ----------- -------- -----
501 0016.caf2.750a DYNAMIC Fa0/25
Total Mac Addresses for this criterion: 1
Desk_2960#
So if you had a PC in the back of the PHONE too then you would see
3 MAC adds for 5 mins after reboot then reducing to to 2.
MAC security therefore need need to be set to allow MAX 3 addresss to
alllow reboots from scratch
I can only suggest that you MAC address security was added after the phones were working.
HTH
Alex
please rate useful posts.
01-09-2012 06:00 AM
Alex - Thanks for labbing that up.
Brian
03-31-2019 04:48 PM
Hi Guru's:
I have a follow question from this post!
Pretend you have updated the port security to 3 and successfully connected a laptop to the phone, then imagine you have 2 phones at this site with the exact same switchport settings (and both phones have PC's connected to the back of the phone).
Now pretend that you unplug the laptops from each phone and connected them to the OTHER phone. The Laptop will NEVER get a network connection because the switchport security settings 'holds' the MAC address on the switchport and becuase the switchport never goes to a 'down/down' status (becuase the phone is still connected) the switch retains the MAC address on that switchport and gives a port security violation when the laptop connects to the other phone. the only way to 'fix' this problem is to unplug both phones (then the switch 'lets go' of the MAC Address) and allows the Laptops to connect.
How can we get around this problem so that it automatically allows the Laptops to move around and plug into the back of different phones?? We have tried aging the port security, but this has caused issues with the phones dropping off too (and wiping their config). the Cisco device is a 3850 running 16.6.4
Thanks in Advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide