cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13502
Views
10
Helpful
3
Replies
Highlighted
Beginner

Port security mac address max # and VOIP (for umpteenth time)

This topic has been posted ad nauseum on here, there, and everywhere. But I'd like a definative answer on the topic, because there are inferences, references, and disparity about the "true" answer.

To rehash:

This is concerning the implementation of port security, and configuring the maximum amount of mac addresses allowed on one particular port. A phone has it's own mac address, and a mac address for it's "internal" switch. Most ports are configured to have the port connect to the VOIP phone, and then the VOIP phone connects to a host ( most likely a PC).

First thought would be to configure switchport port-security maximum 2 (phone and PC).

HOWEVER...

I have seen that sometimes the "ghost" mac address of the internal switch on the VOIP phone gets learned, and then unless you have configured for 3 mac addresses, you'll go into err-disable state.

Now, I've read this for the past 30 minutes, and I'd like to know if someone has a DEFINITIVE source for an answer. In my reading, I've seen one particularly good explanation on the whole issue for 2 or 3 mac addresses. As stated above, the phone has 2 mac addresses. The PC...1 (assuming 1 NIC card). As explained, the internal mac address of the internal port does not get populated (seen) on the switchport. This is due to the TLV (?) flag being set and CDP not seeing this internal port during phone booting. So, if that is the case, then 2 mac addresses should be allowed on the switch i.e. port-security max 2.

But, further reading has a "VIP" with over 5000 posts saying that Cisco recommended practice is to still configure for three mac addresses; i.e. port-security max 3.

However, no Cisco source was quoted for this. I've googled it, and can't find it. Does anyone have a link or a reference what Cisco specifically says to configure max 3?

As a side note:

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

Would this not still be considered "3" mac addresses  in the grand scheme of things  ? I would think it would "technically" be more secure that the port-security max 3, as you are narrowing down the access to 1 VOIP device, and 2 data devices (the PC and POTENTIALLY the internal switch if it was seen)

Anyone from Cisco care to chime in??              

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Hello Norm,

I am not the definitive Cisco resource so if anyone from Cisco wants to join I will be more than happy!

However, this is as I see things: First of all, the phone does not have 2 MAC addresses. It has just a single MAC address. Its "internal switch" does not have any MAC address on its own because it never sources or receives frames itself.

During the phone boot up process, it does not know yet its voice VLAN - this voice VLAN will only be learned from the CDP communication between the phone and the switch. So until the phone learns its voice VLAN, it sends all its own frames, including CDP messages, untagged. Now, as the phone boots, it starts sending CDP messages (untagged). As the switch receives them, it learns the phone's MAC address on the access VLAN of the port. Voila, the 1st secure MAC address is just learned on the access VLAN. After the switch sends a CDP packet back to the phone announcing the voice VLAN the phone should be in, the phone will start communicating in the voice VLAN (obtaining the IP address, registering, etc.), prompting the switch to learn the phone's MAC address again, this time, on the voice VLAN. Voila, the 2nd secure MAC address is learned. And of course, after the phone fully boots up and allows the attached PC to start communication, the 3rd secure MAC address will be learned by the switch.

So the requirement of 3 secure MAC addresses stems from the fact that the phone starts communicating in the access VLAN and after learning about the voice VLAN during the boot, it moves into the voice VLAN and continues the communication in it, causing the phone's MAC address to be learned on two VLANs by the switch. The third secure MAC address is the address of the PC.

Now, this is the principial technical background. I have went over the documentation to Catalyst 2960 switch series, and in accordance with your findings, I can confirm that the Command Reference for IOS 12.2(25)SED states regarding the switchport port-security maximum command:

When you enable port security on an interface that  is also configured with a voice VLAN, you must set the maximum allowed  secure addresses on the port to two plus the maximum number of secure  addresses allowed on the access VLAN. When the port is connected to a  Cisco IP Phone, the Cisco IP Phone requires up to two MAC addresses. The  Cisco IP Phone address is learned on the voice VLAN and might also be  learned on the access VLAN. Connecting a PC to the Cisco IP Phone  requires additional MAC addresses.

However, the documentation for the next IOS version 12.2(25)SEE states differently:

When you enable port security on an interface that  is also configured with a voice VLAN, set the maximum allowed secure  addresses on the port to two. When the port is connected to a Cisco IP  phone, the IP phone requires one MAC address. The Cisco IP phone address  is learned on the voice VLAN, but is not learned on the access VLAN. If  you connect a single PC to the Cisco IP phone, no additional MAC  addresses are required. If you connect more than one PC to the Cisco IP  phone, you must configure enough secure addresses to allow one for each  PC and one for the Cisco IP phone.

Why the difference? I am not sure. My personal explanation is that Cisco may have upgraded the internal IOS procedures that govern the learning of MAC address in a way that if a phone MAC address is recognized (possibly by the CDP), it is not learned on the access VLAN, or if it is learned, once the voice VLAN is assigned, the MAC address is moved, rather than additionally learned, onto the voice VLAN. I can make a test in lab on Monday to verify the precise steps taken by the IOS. Until then, this would be my best guess.

So to sum it up, the limit of 3 secure MAC addresses is explained by the fact that the MAC address of the phone may be learned on both access and voice VLAN as a result of the phone booting and discovering its environment first on the untagged, i.e. access VLAN, and then moving to the tagged voice VLAN. Cisco may have improved the learning procedure in more recent IOSes to recognize IP phone MAC addresses and avoid learning them on the access VLAN but I have to confirm this.

Would this be at least partially helpful?

Best regards,

Peter

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Cisco Employee

Hello Norm,

I am not the definitive Cisco resource so if anyone from Cisco wants to join I will be more than happy!

However, this is as I see things: First of all, the phone does not have 2 MAC addresses. It has just a single MAC address. Its "internal switch" does not have any MAC address on its own because it never sources or receives frames itself.

During the phone boot up process, it does not know yet its voice VLAN - this voice VLAN will only be learned from the CDP communication between the phone and the switch. So until the phone learns its voice VLAN, it sends all its own frames, including CDP messages, untagged. Now, as the phone boots, it starts sending CDP messages (untagged). As the switch receives them, it learns the phone's MAC address on the access VLAN of the port. Voila, the 1st secure MAC address is just learned on the access VLAN. After the switch sends a CDP packet back to the phone announcing the voice VLAN the phone should be in, the phone will start communicating in the voice VLAN (obtaining the IP address, registering, etc.), prompting the switch to learn the phone's MAC address again, this time, on the voice VLAN. Voila, the 2nd secure MAC address is learned. And of course, after the phone fully boots up and allows the attached PC to start communication, the 3rd secure MAC address will be learned by the switch.

So the requirement of 3 secure MAC addresses stems from the fact that the phone starts communicating in the access VLAN and after learning about the voice VLAN during the boot, it moves into the voice VLAN and continues the communication in it, causing the phone's MAC address to be learned on two VLANs by the switch. The third secure MAC address is the address of the PC.

Now, this is the principial technical background. I have went over the documentation to Catalyst 2960 switch series, and in accordance with your findings, I can confirm that the Command Reference for IOS 12.2(25)SED states regarding the switchport port-security maximum command:

When you enable port security on an interface that  is also configured with a voice VLAN, you must set the maximum allowed  secure addresses on the port to two plus the maximum number of secure  addresses allowed on the access VLAN. When the port is connected to a  Cisco IP Phone, the Cisco IP Phone requires up to two MAC addresses. The  Cisco IP Phone address is learned on the voice VLAN and might also be  learned on the access VLAN. Connecting a PC to the Cisco IP Phone  requires additional MAC addresses.

However, the documentation for the next IOS version 12.2(25)SEE states differently:

When you enable port security on an interface that  is also configured with a voice VLAN, set the maximum allowed secure  addresses on the port to two. When the port is connected to a Cisco IP  phone, the IP phone requires one MAC address. The Cisco IP phone address  is learned on the voice VLAN, but is not learned on the access VLAN. If  you connect a single PC to the Cisco IP phone, no additional MAC  addresses are required. If you connect more than one PC to the Cisco IP  phone, you must configure enough secure addresses to allow one for each  PC and one for the Cisco IP phone.

Why the difference? I am not sure. My personal explanation is that Cisco may have upgraded the internal IOS procedures that govern the learning of MAC address in a way that if a phone MAC address is recognized (possibly by the CDP), it is not learned on the access VLAN, or if it is learned, once the voice VLAN is assigned, the MAC address is moved, rather than additionally learned, onto the voice VLAN. I can make a test in lab on Monday to verify the precise steps taken by the IOS. Until then, this would be my best guess.

So to sum it up, the limit of 3 secure MAC addresses is explained by the fact that the MAC address of the phone may be learned on both access and voice VLAN as a result of the phone booting and discovering its environment first on the untagged, i.e. access VLAN, and then moving to the tagged voice VLAN. Cisco may have improved the learning procedure in more recent IOSes to recognize IP phone MAC addresses and avoid learning them on the access VLAN but I have to confirm this.

Would this be at least partially helpful?

Best regards,

Peter

View solution in original post

Highlighted

Peter, this sums it up great.

So the requirement of 3 secure MAC addresses stems from the fact that  the phone starts communicating in the access VLAN and after learning  about the voice VLAN during the boot, it moves into the voice VLAN and  continues the communication in it, causing the phone's MAC address to be  learned on two VLANs by the switch. The third secure MAC address is the  address of the PC.

This is exactly right.

Here is an interesting post from the SB forums as well (which was before I stopped working for Cisco if that counts)

https://supportforums.cisco.com/thread/2183849

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted
Frequent Contributor

 

Hi Peter,

 

Thanks for great explanation.Our customer site is implementing Cisco VOIP.

So i configured port-security max 3  on all access port switches.

Before reading your post i was thinking what's the maximum mac address i should configure?

But after reading your post i got the answer.

 

Regards

Mahesh

Content for Community-Ad