Today I will share with you how to deal with the TC cannot obtain an IP address after a PC connected to an S switch is replaced with a TC.
Issue Description
An IP phone and a PC are connected to the interface of the access switch on the customer network. The interface configuration is as follows:
interface GigabitEthernet1/0/17
port link-type hybrid
voice-vlan 20 enable
voice-vlan legacy enable
port hybrid pvid vlan 10
undo port hybrid vlan 1
port hybrid tagged vlan 20
port hybrid untagged vlan 10
stp edged-port enable
poe legacy enable
lldp compliance cdp txrx
port-security enable
port-security max-mac-num 3
port-security aging-time 2 type inactivity
trust 8021p
unicast-suppression packets 80
multicast-suppression packets 80
broadcast-suppression packets 80
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 10
The customer needs to deploy the TC. After the PC connected to the IP phone is replaced with the TC, the IP address can be obtained only after a certain period of time or after the network cable between the PC and the switch is removed and reinstalled.
Handling Process
1. After the PC connected to the phone is removed, check the MAC address of the corresponding interface on the switch. 0017-5976-861f is the MAC address of the IP phone (the IP phone generates secure MAC addresses in PVID 10 and the negotiated voice VLAN 20). c409-38f1-6df1 is the MAC address of the removed PC.
[RHF4C2S5720-ST3-1]dis mac-address GigabitEthernet 1/0/8
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0017-5976-861f 10/- GE1/0/8 security
c409-38f1-6df1 10/- GE1/0/8 security
0017-5976-861f 20/- GE1/0/8 security
2. The MAC address generated by the interface is a secure MAC address. When the physical status of the interface remains Up, the MAC address exists until the MAC address ages. By default, the MAC address is not aged and the aging time is set to 2 minutes on the interface.
3. After the MAC address of the PC is aged or the network cable between the PC and the switch is removed and then inserted, you can view the MAC address information. In the command output, c409-38f1-6c9e indicates the MAC address of the TC.
[RHF4C2S5720-ST3-1-GigabitEthernet1/0/8] dis mac-address GigabitEthernet 1/0/8
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0017-5976-861f 10/- GE1/0/8 security
c409-38f1-6c9e 10/- GE1/0/8 security
0017-5976-861f 20/- GE1/0/8 security
Root Cause
If port security is configured on an interface and the number of secure MAC addresses is 3, new MAC addresses can take effect only after the original MAC address ages or the interface goes down and then up.
Solution
1. In this scenario, port security is mainly used to prevent unauthorized access at the access layer to protect customer network security.
2. Change the number of secure MAC addresses to 4 for the switch where the TC is to be deployed. After the deployment is complete, change the number of secure MAC addresses to 3.
port-security max-mac-num 4
Suggestions
If port security needs to be configured for an interface connected to an IP phone, the number of secure MAC addresses must be greater than the number of access terminals by 1 because the IP phone occupies two MAC addresses.
That is all I want to share with you! Thank you!
