Port Security, Sticky, Vlan trunking, VOIP phone sort of question

geek4god

Okay, studding for CCENT (one reason I posted this here) and got to port security. To turn on the port security the port has to be set to be an access port. The sticky option means the first MAC address the port sees gets set as the allowed MAC for that port. So we have VOIP phones and our computers all plug into them and then into the switch. So I assume for this to work the phone actually acts as a switch?

Second question is I assume there are two Vlans here one for the phone data and one for the computers data (this is more a general assumption and not one related to the phone switch question). If so then that means on any given port there are two Vlans communicating so does that mean trunking has to be on for each port with a phone/computer setup? If so does this eliminate port security (at least at this level of my study) as the port will not be an access port?

If this needs to get moved somewhere let let me know..

Timber Wolf

I think the voice section would of been a better place for this thread, of course that section is dead most of the time unfortunately. You are correct that the phone has a small switch in it and that there are two VLAN's set up on each port. Howe exactly they are set up depends on the phones them self's. If they are Cisco phones or another brand of phone that supports CDP such as polycom for instance the way you configure the port is as an access port with an access VLAN for data. You then add a special port command called a voice VLAN. The voice VLAN is VLAN that your phone traffic is on, and if finds this VLAN through the use of CDP. If your phones do not have CDP then is my understanding that you have to go through and configure the switchport as a trunk with two allowed VLAN's and the native VLAN being data and the second allowed one being the voice vlan.

bermovick

I think it's possible to keep the port an access port with access and voice vlans with non-cisco phones. You just have to manually configure the phone to use the voice vlan. Don't quote me on that though.

cisco_ma

At work we have non-Cisco VoIP phones and the ports are regular access ports with both "switchport access vlan xx" defined and "switchport voice vlan xx" defined on each port. The VLAN is also set on the phone.

We don't use port security, but are looking into it to keep VoIP phones from moving rooms. As I look through our switches now, it looks like it shows the phone MAC address 2 times rather than the MAC of the phone and the MAC of the PC that is connected through it. Not sure why that is though, or if it's just because people aren't here yet to turn on their computers.

pham0329

For cisco phone, the port will be configured as an access port, with a voice/aux vlan configured on it. THe port will be trunking just the data vlan and voice vlan, but it will show up as an access port.

Also, keep in mind that when you're enabling port-security on ports connected to an ip phone, you need to allow at least 3 mac address on the port, 1 for the pc, and 2 for the phone. The phone's mac address will sometimes show up 2x, once under the data vlan, and once under the voice vlan, so if you only allowed 2 mac address (1 for phone, 1 for data), you may end up locking out your users.