Port Security with VoIP

eteneten Posts: 67Member ■■□□□□□□□□
Cisco documentation stated this:
When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the phone requires additional MAC addresses.
So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

Comments

  • hermeszdatahermeszdata Posts: 225Member
    eten wrote: »
    Cisco documentation stated this:

    So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

    I believe it you plug an IP phone, with no PC connected to the phone, into the switch and do sh mac address-table dynamic that it will only show a single mac address for that port. Having a PC plugged in will show the second IP Address.

    If, however, you wanted to add a small switch to expand the capabilities of the Data/Voice drop to add a network printer for example, you would need to increase the # of mac address on the port for security purposes.

    John
    John
    Current Progress:
    Studying:
    CCNA Security - 60%, CCNA Wireless - 80%, ROUTE - 10% (Way behind due to major Wireless Project)
    Exams Passed:
    CCNA - 640-802 - 17 Jan 2011 -- CVOICE v6 - 642-436 - 28 Feb 2011
    2011 Goals
    CCNP/CCNP:Voice
  • rage_hograge_hog Posts: 42Banned ■■□□□□□□□□
    That and the fact that an IP phone has a basic switch built into it.
  • mwgoodmwgood Posts: 293Member
    eten wrote: »
    So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

    Just as an example - see the following output listing the mac addresses on a port with an IP Phone connected:

    Mac Address Table

    Vlan Mac Address Type Ports
    ----


    1 0025.84a1.1442 DYNAMIC Gi3/0/2
    130 0025.84a1.1442 DYNAMIC Gi3/0/2
    Total Mac Addresses for this criterion: 2

    VLAN 130 is the Voice Vlan in this case, whereas VLAN 1 is the data vlan. The phone registers once on each Vlan, and the total number of instances of mac addresses is two - just for the phone, even though it is the same mac address.
Sign In or Register to comment.