Best practice for port security maximum if Cisco phone...

Clutz5250 · ‎04-06-2021

I've been trying to find some info in regards to a known issue in our environment. Cisco phones apparently require the data vlan first before transitioning to the voice vlan and port security.

So we've been seeing about 3 MACs before they age out (on our newer stuff). We'd like to keep the port security max statement to two (phone, pc), but apparently that can hose things. Is the official best practice in this situation to set the max to 3, and avoid network conflict? Seems counter to the goal in part - where the MAC age out timer happens from one of the PS statements and then there's a happy port ready for X person to jack in without any/much delay. Guess at least we are protecting the ARP table from blowing up in a spoof attack? Perhaps we could remove the age out port security statement and just leave the duplicate floating?

So... would be nice to know the gold standard port security config here (w/o sticky).

I have seen someone mention that 'CDP enhancement for 2nd port disconnect' might partly be a solution but I'm not sure yet if it won't still cause a problem.

Thanks!

Reza Sharifi · ‎04-06-2021

So... would be nice to know the gold standard port security config here (w/o sticky).

Not sure if there is any standard but we use 2 MACs with laptops daisy-chain off the phones and have not had any issues.

HTH

Clutz5250 · ‎04-06-2021

"Not sure if there is any standard but we use 2 MACs with laptops daisy-chain off the phones and have not had any issues."

That is not the case with us apparently. The phone utilizes the data VLAN initially from what I understand and then moves to the voice VLAN. So, if port security is implemented, you need minimum of 'maximum 3' statement for port security.