Switch port port-security maximum MAC address when using IP phone

Switch port port-security maximum MAC address when using IP phone
on the switch link with microswitch for PC connectivity on the phone:

Problem: [switch]–[IP Phone]–[PC]
If the user’s switchport config is like this:

errdisable recovery cause psecure-violation
errdisable recovery interval 600
!
interface x/y/z
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security violation shutdown
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice

Ideally this will work. But it will cause problems.

When the user turn on the PC he/she will see a system notification that
the link went down (and the phone switched of of PoE powered or loss
the connectivity to the switch). This is because of the port-security config
and a strange bahavior of the IP Phone.

At start the phone is using it’s MAC for CDP in both VLANs, in the native
and the voice also because at startup the the phone not know which is
the voice VLAN -> 2 MAC. When the PC come up and sends a single
packet (DHCP, ARP..) then we have a 3rd MAC. Until the MAC of the phone
in the data (native) VLAN not aged out the port will be secured. If you are
lucky then the phone remains up and got power and not forget the voice
VLAN. After the aging time expires and the auto recovery recovered the
port the PC can communicate because the MAC aging already deleted the
MAC of the phone from the data VLAN. And another problem: some phones
have a weird behavior. The phones have a feature of CDP: the host presence
type length value (TLV) to notify the switch of changes in the attached device’s
port link state. The phones generates this CDP frame in the voice VLAN – this
is a control message to the switch to remove the PC’s MAC from the CAM table.
But some phone plattforms (in my experience) generates this message in the
data (native) VLAN so the switch sees the phone’s MAC in both VLANs. This
leads to the problem that when the PC booted and send the first packet the
switch will secure the port because of the MAC violation. After the MAC aging
time and the automatic error recovery of the port the PC will be able to send
and receive packets on the port.

Solution:
interface x/y/z
switchport port-security maximum 3
switchport port-security maximum 2 vlan access
switchport port-security maximum 1 vlan voice

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.