Showing results for 
Search instead for 
Did you mean: 

Mac based security on 3560E



               I am having all 3560E as my edge switches. All the ports are having IP phones connected and PCs are connected to IP phones. I was looking forward to implement port based security.

              First of all is it a good practice to MAC based security in such environment ? Second are there any other options to make ports more secure ? Right now the ports are dynamic when i changed them to static with "switchport mode access" and gave commands like "switchport port-security" and "switchport port-security maximum 2" the port was shutdown and i there was no LED on it.

              Please suggest.


Pratik Mavani

2 Accepted Solutions

Accepted Solutions

That's the way we did too, but we had to sticky. It's a real pain as the port security violations seems to come in waves. We have since roled out 802.1x for phones and workstations. No more security violations (except when printers are moved).

View solution in original post


What code version you are running on the switch? In some of the older code

versions, the switch will learn the IP Phone MAC address both in data VLAN

as well as voice VLAN. When the IP Phone boots up, it will not know anything

about the Voice VLAN. Hence, it just comes up as a regular host and sends

untagged packets towards the switch. Switch will receive it in the native

VLAN and then handles it accordingly. The IP Phone will get an IP in the

data VLAN range first and then contacts the TFTP server for IP Phone

configuration. Once it downloads the configuration and realizes the voice

VLAN, it disassociates itself from the data VLAN and sends a new DHCP

request (tagged) on the voice VLAN. In the latest code (fixed) the switch

will remove the IP Phone MAC address association from the Data VLAN.

However, in the older code, the switch will not delete the MAC address from

the Data VLAN. That is the reason, you will see 3 MAC addresses (2 for IP

Phone and one for the PC). So, it is OK to set the limit to 3 as long as the

duplicate MAC is of the IP Phone alone.

Hope this helps.



View solution in original post

11 Replies 11