<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>From what I remember the port-security process/command is what
takes these extra steps. We did testing with this and it seems to be the case
as without “switchport port-security” 3 macs show up, but when the
command is added the phones mac is removed from the access vlan. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Note: We use violation restrict<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Wes Sisk [mailto:wsisk@cisco.com] <br>
<b>Sent:</b> Friday, April 10, 2009 3:07 PM<br>
<b>To:</b> Fuermann, Jason<br>
<b>Cc:</b> 'Peter Pauly'; Mike Wilusz; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] switchport port-security sticky for IP phones<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This aligns with my recollection of the issue. It focuses
around CDP. CDP should not be tagged with do1q, this potentially causes
the phone to show up in access vlan. Once CDP exchange is complete
all other traffic from the phone will be dot1q tagged to the voice vlan.
Last I heard CDP should not be tagged.<br>
<br>
if the switch does remove from access vlan there are special steps going on to
bypass (override?) the normal learning process.<br>
<br>
/wes<br>
<br>
On Friday, April 10, 2009 3:01:44 PM, Fuermann, Jason <a
href="mailto:JBF005@shsu.edu"><JBF005@shsu.edu></a> wrote:<br>
<br>
<o:p></o:p></p>
<pre>The newer code on the switches will remove the phones mac from the access vlan once the phone has negotiated. The only caveat I've seen is that if violation is set to shutdown, the port is shutdown before the mac get's removed.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>-----Original Message-----<o:p></o:p></pre><pre>From: <a
href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a> [<a
href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>] On Behalf Of Peter Pauly<o:p></o:p></pre><pre>Sent: Friday, April 10, 2009 1:49 PM<o:p></o:p></pre><pre>To: Mike Wilusz<o:p></o:p></pre><pre>Cc: <a
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></pre><pre>Subject: Re: [cisco-voip] switchport port-security sticky for IP phones<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Actually, I'm setting it to 3.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Here's a typical example of a recommended setup:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>switchport port-security<o:p></o:p></pre><pre>switchport port-security maximum 3<o:p></o:p></pre><pre>switchport port-security maximum 2 vlan access<o:p></o:p></pre><pre>switchport port-security maximum 1 vlan voice<o:p></o:p></pre><pre>switchport port-security violation shutdown<o:p></o:p></pre><pre>switchport port-security mac-address sticky<o:p></o:p></pre><pre>switchport port-security mac-address sticky 1111.1111.1111 vlan access<o:p></o:p></pre><pre>switchport port-security mac-address sticky 2222.2222.2222 vlan access<o:p></o:p></pre><pre>switchport port-security mac-address sticky 2222.2222.2222 vlan voice<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I only ever see two entries, one for the PC (access vlan) and one for<o:p></o:p></pre><pre>the phone (voice vlan). I never see two for the phone.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>On Fri, Apr 10, 2009 at 2:42 PM, Mike Wilusz<o:p></o:p></pre><pre><a
href="mailto:mikewilusz@pricechopper.com"><mikewilusz@pricechopper.com></a> wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Peter,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>We're using "sticky" mode for PCs and phones. Are you setting the port to<o:p></o:p></pre><pre>detect 2 macs? "switch port-security maximum 2"<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Mike Wilusz, CCNA<o:p></o:p></pre><pre>Telecommunications & Networking Supervisor<o:p></o:p></pre><pre>Price Chopper Supermarkets / The Golub Corporation<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>From: Peter Pauly <a
href="mailto:ppauly@gmail.com"><ppauly@gmail.com></a><o:p></o:p></pre><pre>Date: Fri, 10 Apr 2009 14:31:51 -0400<o:p></o:p></pre><pre>To: <a
href="mailto:cisco-voip@puck.nether.net"><cisco-voip@puck.nether.net></a><o:p></o:p></pre><pre>Subject: [cisco-voip] switchport port-security sticky for IP phones<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>All the examples of port security I've found show that an IP phone<o:p></o:p></pre><pre>needs two mac-address entries, one for the voice vlan and one for the<o:p></o:p></pre><pre>access vlan. When turning on "sticky" mode, I only ever see an entry<o:p></o:p></pre><pre>created for the voice vlan, never for the access vlan, even when<o:p></o:p></pre><pre>power-cycling the phone.<o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>cisco-voip mailing list<o:p></o:p></pre><pre><a
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></pre><pre><a
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre>_______________________________________________<o:p></o:p></pre><pre>cisco-voip mailing list<o:p></o:p></pre><pre><a
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></pre><pre><a
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>cisco-voip mailing list<o:p></o:p></pre><pre><a
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></pre><pre><a
href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>