Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3400
Views
0
Helpful
17
Replies

query on sh mac-add

Go to solution
pokwan
Level 1
Level 1

‎10-21-2007 10:13 PM - edited ‎03-05-2019 07:13 PM

Hi,

We have IP phones connected to the 3750 switches and here is the configuration of one of the port fa2/0/27

interface FastEthernet2/0/27

switchport access vlan 217

switchport mode access

switchport voice vlan 192

speed 100

duplex full

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

Can please explain why when I did a sh mac-add int fa2/0/27, the IP phone mac add is in both the voice and data vlan (see below)?

sh mac-address-table int fa 2/0/27

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

217 000a.b81a.583b DYNAMIC Fa2/0/27

217 0014.85ce.e770 DYNAMIC Fa2/0/27

192 000a.b81a.583b DYNAMIC Fa2/0/27

Total Mac Addresses for this criterion: 3

TIA.

PF

Labels:
0 Helpful
17 Replies 17

Go to solution
pokwan
Level 1
Level 1
In response to ankbhasi

‎10-22-2007 11:11 PM

Thanks very much Ankur.

PF

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to ankbhasi

‎02-26-2009 12:42 AM

Hello Guys,

Even without port-security I am seeing this behavior where the phone MAC is learned on two VLANs, the data and voice. THe main problem with this is that if you do packet capture on the PC connected to the phone you will see voice traffic reaching the PC. THis defeats the concept of having layer 2 security with voice vlan and data vlan.

If you issue the command show mac-address-table | inc "phone mac" multiple times, you will see the mac hoping between data, then voice, then data and voice, then disappaers and again goes the cycle every two seconds. THis is causing the switch to flood the traffic sometimes on the data and voice VLAN. That's why the PC see some voice packets such as skinny keep alives and skinny control messages on it's port destined to phones in the voice VLAN.

I opened a case with Cisco and they said it is normal behavior!!! However, where is the security if some traffic is getting flooded!!! I have tried the latest IOS version and same behavior.

Port security as explained in the post hides this behavior and my customer doesn't want to enable port security in the meantime!

Please advise if there is a possible solution to this security breach and flooding,

Regards,

0 Helpful

Go to solution
m-haddad
Level 5
Level 5
In response to m-haddad

‎02-26-2009 12:44 AM

Hello Guys,

Each phases of the cycle explained above happens every twenty seconds and not two, a typo mistake.

Thanks in advance for any clarifications,

0 Helpful
Customers Also Viewed These Support Documents