Port Security Allowed Mac-Address

mikemanz83 · ‎08-18-2021

Good Night

with the command:

S1(config-if)# switchport port-security maximum 2

Im configuring port security to allow a max. of 2 decives on that port, but if i connect to the port an IP Phone, i ve seen on several documentation that i have to configure 3 MAC Address, because in old phone there is a "phantom vlan", plus the MAC of the phone and the last one for the PC.

My question is, now in these days, i have to configure Port Security with 3 MAC Addresses when i have a PC and an IP Phone?

PS: I 've tested configuring 2 MAC addresses and works fine but i dont know if thats true for other vendors or old phones.

PS2: I used only Cisco Ip phones

Thanks

M.M.

Giuseppe Larosa · ‎08-18-2021

Hello @mikemanz83 ,

all the question is how the IP phone boots up.

Some phones can first boot up in the data VLAN ( untagged) and then learn what the voice VLAN is from any means CDP or LLDP MED or some DHCP option and then they get an IP address in the voice VLAN.

In this case there is a small time interval where the IP phone MAC address is listed twice one in data VLAN and one in Voice VLAN this was the reason to use a count of 3.

Another reason is to give a chance to connect a different PC downstream the phone (different NIC = different MAC address)

Hope to help

Giuseppe

Georg Pauwen · ‎08-18-2021

Hello,

on a side note, this is from the 16.10 Gibraltar Security Configuration Guide:

'When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.'