config on C2960

Jozef Staruch · ‎04-05-2013

Hi all ,

Customer has a Catalyst WS-C2960-48PST-L. and in some ports we have VoIP phones with PoE company Aastra. If I use first config we have problem when phone boot up.

First config:

description tp-11-voip

switchport access vlan 250

switchport mode access

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0008.5d76.8d2f vlan voice

mls qos trust dscp

snmp trap mac-notification change added

snmp trap mac-notification change removed

storm-control broadcast level 15.00

storm-control action trap

no cdp enable

spanning-tree portfast

ip dhcp snooping limit rate 100

The MAC shown here is from a voip Phone

After the phone boot up, the phone can not get an IP address, because it must boot first in vlan 250 (access vlan). On the port you can only see the MAC from vlan 201.

With the second config the phone can boot without problems:

interface FastEthernet0/48

description tp-11-voip

switchport access vlan 250

switchport mode access

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address 0008.5d76.8d2f vlan voice

switchport port-security mac-address 0008.5d76.8d2f

mls qos trust dscp

snmp trap mac-notification change added

snmp trap mac-notification change removed

storm-control broadcast level 15.00

storm-control action trap

no cdp enable

spanning-tree portfast

ip dhcp snooping limit rate 100

is there a reason, why it is the problem with the first config on cat2960 ? The same first config works with an Cat2950 without problems

Thank you for help

jtaisie · ‎04-05-2013

What is the difference between these two lines when compared to your "first config":

switchport port-security mac-address 0008.5d76.8d2f vlan voice

switchport port-security mac-address 0008.5d76.8d2f

paul driver · ‎04-05-2013

Hello

You need cdp enabled so the phone can recieve the correct configuration from the switch

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jozef Staruch · ‎04-05-2013

thank you for help, but

"Unfortunately, the configuration you suggested did not solve the problem. The reaction of the port scurity system seems to be specifically related to the IOS as well as the platform.

1. When booting the telephone the first time in the access VLAN the MAC address in the running-config looks like this:

description tp-11-voip

switchport access vlan 250

switchport mode access

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0008.5d76.8d2f

mls qos trust dscp

snmp trap mac-notification change added

snmp trap mac-notification change removed

storm-control broadcast level 15.00

storm-control action trap

no cdp enable

spanning-tree portfast

ip dhcp snooping limit rate 100

2. The telephone gets the ip address of the configuration server (Vendor specific field) via the DHCP server.

3. The telephone loads the configuration from the configuration server. This configuration also contains the information of the voice LAN.

4. The telephone performs a reboot with the configuration in the voice LAN and now the error occurs:

-> The MAC address is deleted out of the Access VLAN and put into the Voice LAN.

And that looks like this:

description tp-11-voip

switchport access vlan 250

switchport mode access

switchport voice vlan 201

switchport port-security maximum 2

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0008.5d76.8d2f voice vlan

mls qos trust dscp

snmp trap mac-notification change added

snmp trap mac-notification change removed

storm-control broadcast level 15.00

storm-control action trap

no cdp enable

spanning-tree portfast

ip dhcp snooping limit rate 100

So now, there is the problem. Once the telephone will be rebooted again, it will do so in the VLAN 250. But the switch does NOT delete the (same!) MAC address out of the Voice LAN and the booting process of the telephone fails."