04-05-2013 12:58 AM - edited 03-07-2019 12:39 PM
Hi all ,
Customer has a Catalyst WS-C2960-48PST-L. and in some ports we have VoIP phones with PoE company Aastra. If I use first config we have problem when phone boot up.
First config:
description tp-11-voip
switchport access vlan 250
switchport mode access
switchport voice vlan 201
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0008.5d76.8d2f vlan voice
mls qos trust dscp
snmp trap mac-notification change added
snmp trap mac-notification change removed
storm-control broadcast level 15.00
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 100
The MAC shown here is from a voip Phone
After the phone boot up, the phone can not get an IP address, because it must boot first in vlan 250 (access vlan). On the port you can only see the MAC from vlan 201.
With the second config the phone can boot without problems:
interface FastEthernet0/48
description tp-11-voip
switchport access vlan 250
switchport mode access
switchport voice vlan 201
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address 0008.5d76.8d2f vlan voice
switchport port-security mac-address 0008.5d76.8d2f
mls qos trust dscp
snmp trap mac-notification change added
snmp trap mac-notification change removed
storm-control broadcast level 15.00
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 100
is there a reason, why it is the problem with the first config on cat2960 ? The same first config works with an Cat2950 without problems
Thank you for help
04-05-2013 01:35 AM
What is the difference between these two lines when compared to your "first config":
switchport port-security mac-address 0008.5d76.8d2f vlan voice
switchport port-security mac-address 0008.5d76.8d2f
04-05-2013 01:36 AM
Hello
You need cdp enabled so the phone can recieve the correct configuration from the switch
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-05-2013 07:05 AM
thank you for help, but
"Unfortunately, the configuration you suggested did not solve the problem. The reaction of the port scurity system seems to be specifically related to the IOS as well as the platform.
1. When booting the telephone the first time in the access VLAN the MAC address in the running-config looks like this:
description tp-11-voip
switchport access vlan 250
switchport mode access
switchport voice vlan 201
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0008.5d76.8d2f
mls qos trust dscp
snmp trap mac-notification change added
snmp trap mac-notification change removed
storm-control broadcast level 15.00
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 100
2. The telephone gets the ip address of the configuration server (Vendor specific field) via the DHCP server.
3. The telephone loads the configuration from the configuration server. This configuration also contains the information of the voice LAN.
4. The telephone performs a reboot with the configuration in the voice LAN and now the error occurs:
-> The MAC address is deleted out of the Access VLAN and put into the Voice LAN.
And that looks like this:
description tp-11-voip
switchport access vlan 250
switchport mode access
switchport voice vlan 201
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0008.5d76.8d2f voice vlan
mls qos trust dscp
snmp trap mac-notification change added
snmp trap mac-notification change removed
storm-control broadcast level 15.00
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 100
So now, there is the problem. Once the telephone will be rebooted again, it will do so in the VLAN 250. But the switch does NOT delete the (same!) MAC address out of the Voice LAN and the booting process of the telephone fails."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide