Port Security with VoIP

Cisco documentation stated this:

When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the phone requires additional MAC addresses.

So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

hermeszdata

eten wrote: »

Cisco documentation stated this:

So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

I believe it you plug an IP phone, with no PC connected to the phone, into the switch and do sh mac address-table dynamic that it will only show a single mac address for that port. Having a PC plugged in will show the second IP Address.

If, however, you wanted to add a small switch to expand the capabilities of the Data/Voice drop to add a network printer for example, you would need to increase the # of mac address on the port for security purposes.

John

rage_hog

That and the fact that an IP phone has a basic switch built into it.

mwgood

eten wrote: »

So we would need 3 MAC addresses for a simple IP Phone <-> PC connection according to this. The phone would need 1 MAC for Voice, and 1 for the MAC for Access? Any clarifications on this, thanks.

Just as an example - see the following output listing the mac addresses on a port with an IP Phone connected:

Mac Address Table

Vlan Mac Address Type Ports
----

1 0025.84a1.1442 DYNAMIC Gi3/0/2
130 0025.84a1.1442 DYNAMIC Gi3/0/2
Total Mac Addresses for this criterion: 2

VLAN 130 is the Voice Vlan in this case, whereas VLAN 1 is the data vlan. The phone registers once on each Vlan, and the total number of instances of mac addresses is two - just for the phone, even though it is the same mac address.