3 for phones? Was reading this and it stated the following. Nice one to keep in mind during the lab…

switchport port-security maximum 1 (or 3 for phones)

If port-security is turned on, the default number of allowed mac-addresses is 1. For an IP phone, we need 3 – one for the workstation, one for the phone on the voice Vlan and one for the phone on the native Vlan for CDP.

[edit] It’s funny checking this that the smartport macro only sets the maximum at 2:

--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
...
# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop on data vlan and
# one for phone on voice vlan
switchport port-security
switchport port-security maximum 2

[edit] Sneaking a peak at my 877 home cpe I notice that indeed the mac address of my 7960 phone is seen on both the data and voice vlan…

home-cpe#sh mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------
0011.2189.c317 _______ Dynamic ____ 1 __ FastEthernet0
0011.2189.c317 _______ Dynamic ___ 10 __ FastEthernet0
(irrelevant output removed)

Other 3550 voip phone ready access-port stuff from the same page:

switchport port-security aging time 2

2 minutes is the shortest time possible and not have keep-alive problems with CDP. Also, IP Phones do not signal the switch when a workstation is unplugged. Without specifying an aging time, the mac address would never age out.

switchport port-security violation restrict

Do not take the port down when a violation occurs. Instead, allow the mac-addresses that we have already seen to continue working. All other traffic is dropped. Necessary with IP phones.

Categories: CCIE R&S, Main blog
Comments Off on Port-security maximum 3 (for phones)