I have recently tested this on a 4506 chassis running 12.2(53)SG1 and it
works with a maximum of 2. I have a phone plugged into the port and a PC
off of the phone. Here is my working configuration. I had done some
research on the topic while configuring this, and found that on some
platforms and IOS' you did indeed need a maximum of 3. It is probably one
of those things that depends on code...
interface FastEthernet3/19
switchport access vlan 32
switchport mode access
switchport nonegotiate
switchport voice vlan 64
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 5
switchport port-security aging type inactivity
spanning-tree portfast
On Mon, Jul 25, 2011 at 10:23 AM, Martijn Minis <martijn.minis_at_gmail.com>wrote:
> I can distinctly remember a case where a IP telephone first listened
> to it's native VLAN, then received a vender specific option via DHCP
> with it's VLAN address, after which rebooted and set the correct VLAN
> ID. After that, it went through the DHCP process again. This could
> account for the MAC address being in both VLAN's. You could try and
> check your DHCP scope to see if this is true?
>
> Regards,
>
> Martijn
>
> On 22 July 2011 13:41, Alexei Monastyrnyi <alexeim73_at_gmail.com> wrote:
> > I reckon it depends on switch IOSand/or phone firmware version, I
> > vaguely remember it being an issue but currently in our environment we
> > have just 2 MACs, one in voice VLAN one in data VLAN, and port-security
> > is set to 2.
> >
> > Cheers
> > A.
> >
> > On 7/21/2011 10:22 PM, me you wrote:
> >> all the ports I have with both a phone and computer have 3 mac's listed.
> the
> >> phones mac is listed on both vlans. I think this is normal.
> >>
> >> On Thu, Jul 21, 2011 at 4:11 PM, Roy Khan<roykhan123_at_hotmail.com>
> wrote:
> >>
> >>> Dear
> >>>
> >>> Try to clear your mac address table because you are learning 3 mac
> >>> addresses one single address 2 times
> >>> clear the mac address table and tell us that is this fix this issue or
> no.
> >>>
> >>> *clear mac-address-table dynamic int Fa0/19*
> >>>
> >>>> Date: Thu, 21 Jul 2011 14:47:46 +0430
> >>>> Subject: port security question
> >>>> From: anunda19_at_gmail.com
> >>>> To: ccielab_at_groupstudy.com
> >>>> I am setting up port security for one computer on a port. Simple. But
> I
> >>> am
> >>>> having problems with the only port that has both a VIOP and computer.
> The
> >>>> MAC address on the phone is showing on both VLAN. I have included all
> the
> >>>> info. I am just overlooking something stupid. What is it?
> >>>>
> >>>> Thanks
> >>>> Rob
> >>>>
> >>>>
> >>>> sh mac add | i 0/19
> >>>> 2 0030.94c2.92b0 DYNAMIC Fa0/19
> >>>> 2 bcae.c52f.f4c5 DYNAMIC Fa0/19
> >>>> 3 0030.94c2.92b0 DYNAMIC Fa0/19
> >>>>
> >>>>
> >>>>
> >>>> interface FastEthernet0/19
> >>>> description Pete
> >>>> switchport access vlan 2
> >>>> switchport mode access
> >>>> switchport voice vlan 3
> >>>> switchport port-security
> >>>> switchport port-security maximum 2
> >>>> switchport port-security violation restrict
> >>>> switchport port-security mac-address 0030.94c2.92b0
> >>>> switchport port-security mac-address bcae.c52f.f4c5
> >>>> load-interval 30
> >>>> speed 100
> >>>> duplex full
> >>>> spanning-tree portfast
> >>>>
> >>>> Error
> >>>> Jul 21 09:55:46.289: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
> >>> violation
> >>>> occurred, caused by MAC address 0030.94c2.92b0 on port
> FastEthernet0/19.
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Regards, Joe Astorino CCIE #24347 Blog: http://astorinonetworks.com "He not busy being born is busy dying" - Dylan Blogs and organic groups at http://www.ccie.netReceived on Mon Jul 25 2011 - 17:48:10 ART
This archive was generated by hypermail 2.2.0 : Mon Aug 01 2011 - 06:30:06 ART