[cisco-voip] switchport port-security sticky for IP phones

Fuermann, Jason JBF005 at shsu.edu
Fri Apr 10 16:16:31 EDT 2009 

>From what I remember the port-security process/command is what takes these extra steps. We did testing with this and it seems to be the case as without "switchport port-security" 3 macs show up, but when the command is added the phones mac is removed from the access vlan.

Note: We use violation restrict

From: Wes Sisk [mailto:wsisk at cisco.com]
Sent: Friday, April 10, 2009 3:07 PM
To: Fuermann, Jason
Cc: 'Peter Pauly'; Mike Wilusz; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] switchport port-security sticky for IP phones

This aligns with my recollection of the issue. It focuses around CDP.  CDP should not be tagged with do1q, this potentially causes the phone to show up in access vlan.   Once CDP exchange is complete all other traffic from the phone will be dot1q tagged to the voice vlan.  Last I heard CDP should not be tagged.

if the switch does remove from access vlan there are special steps going on to bypass (override?) the normal learning process.

/wes

On Friday, April 10, 2009 3:01:44 PM, Fuermann, Jason <JBF005 at shsu.edu><mailto:JBF005 at shsu.edu> wrote:


The newer code on the switches will remove the phones mac from the access vlan once the phone has negotiated. The only caveat I've seen is that if violation is set to shutdown, the port is shutdown before the mac get's removed.



-----Original Message-----

From: cisco-voip-bounces at puck.nether.net<mailto:cisco-voip-bounces at puck.nether.net> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Peter Pauly

Sent: Friday, April 10, 2009 1:49 PM

To: Mike Wilusz

Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

Subject: Re: [cisco-voip] switchport port-security sticky for IP phones



Actually, I'm setting it to 3.



Here's a typical example of a recommended setup:



switchport port-security

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security violation shutdown

switchport port-security mac-address sticky

switchport port-security mac-address sticky 1111.1111.1111 vlan access

switchport port-security mac-address sticky 2222.2222.2222 vlan access

switchport port-security mac-address sticky 2222.2222.2222 vlan voice



I only ever see two entries, one for the PC (access vlan) and one for

the phone (voice vlan). I never see two for the phone.



On Fri, Apr 10, 2009 at 2:42 PM, Mike Wilusz

<mikewilusz at pricechopper.com><mailto:mikewilusz at pricechopper.com> wrote:



Peter,



We're using "sticky" mode for PCs and phones.  Are you setting the port to

detect 2 macs?  "switch port-security maximum 2"



Mike Wilusz, CCNA

Telecommunications & Networking Supervisor

Price Chopper Supermarkets / The Golub Corporation











From: Peter Pauly <ppauly at gmail.com><mailto:ppauly at gmail.com>

Date: Fri, 10 Apr 2009 14:31:51 -0400

To: <cisco-voip at puck.nether.net><mailto:cisco-voip at puck.nether.net>

Subject: [cisco-voip] switchport port-security sticky for IP phones



All the examples of port security I've found show that an IP phone

needs two mac-address entries, one for the voice vlan and one for the

access vlan. When turning on "sticky" mode, I only ever see an entry

created for the voice vlan, never for the access vlan, even when

power-cycling the phone.

_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

https://puck.nether.net/mailman/listinfo/cisco-voip







_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

https://puck.nether.net/mailman/listinfo/cisco-voip

_______________________________________________

cisco-voip mailing list

cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>

https://puck.nether.net/mailman/listinfo/cisco-voip



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20090410/2c9ba4e2/attachment.html>

More information about the cisco-voip mailing list