port-security and IP Phones

- F
- firewallstarter
  
  Contact options for registered users
posted
16 years ago

Fri, Jul 13, 2007 4:02 PM

I've seen a problem with the port-security feature on switches when you connect through an IP phone.

The problem arises when a data device, connected through an IP phone, is moved from one port to another on the same switch. When the data device is attached to the new port it has no connectivity.

The cause of the problem is the fact that the phone keeps the switch port up even though you may plug out a device from the data port on the phone. This means that the switch port-security entries are not cleared. The switch sees that the mac address of the data device is attached to the old port so it does not open on the new port until it's cleared from the old one.

To clear the port-security entries you can disconnect the IP phone, causing the port to drop or you can run the following command

clear port-security dynamic address A.B.C (where A.B.C is the mac address of the data device)

This results in problems with laptop mobility on an office floor.

I've seen this problem on a Cisco 4506 running cat4500-ipbasek9-mz.

122-37.SG.bin

Has anybody else seen this and does anybody know of a solution?

As always your help is appreciated. FWS

- P
- Peter
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Jul 13, 2007 9:59 PM

You need to modify the MAC Address table Timeout value for any port enabled for IP Telephony to a shorter value to allow PC mobility between these ports. On our switches (3560's) we use 2 minutes and find that works well enough (except for the really inmpatient people that only wait 5 seconds before screaming......;-)).

Cheers.................pk.

- F
- firewallstarter
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Jul 20, 2007 1:57 PM

Peter, thanks for the response. I checked out the MAC address table timeouts and this is set to 300 seconds the default but when I remove the PC from the port on the IP phone it does not clear from the table after 5 mins. In fact the MAC address was still known on that port the following day.

The solution is to enable aging timeouts within the port-security config on each interface with the commands below.

switchport port-security aging time 1 switchport port-security aging type inactivity

So the port-security config on the switch reads like this now

switchport port-security switchport port-security maximum 3 switchport port-security aging time 1 switchport port-security aging type inactivity

This results in the mac address aging out of both the mac-address- table and the port-security table after 5 mins of activity. This solves the problem of the moving a PC from one port to another on the same switch.

I've spotted reference to this problem on the cisco web site here

formatting link

"If a secure MAC address is secured on a port, that MAC address is not allowed to enter on any other port off that VLAN. If it does, the packet is dropped unnoticed in the hardware. Other than through the interface or port counters, you do not receive a log message reflecting this fact. Be aware that this condition does not trigger a violation. Dropping these packets in the hardware is more efficient and can be done without putting additional load on the CPU."

FWS in Dublin

Peter wrote: