Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.


Port Security and Mitel

Port Security and Mitel

We have had IP phones deployed through a network of 200 ICP's (5-ICP's) for about 2 years. We were using HP 2620 POE switches with VLAN 180. Everything has been running fine for about two years. The customer replaced all swicthes with Cisco 3750 POE 4 months ago. 2 sites now have constant issues where an extension dials another extension (local ICP) the set rings but they cannot be connected. When the user picks up the handset it keeps ringing. This usually last 10-12 seconds. We have pulled numerous logs with Mitel support, pulled wireshark cpatures, I even hired a Cisco sub contractor to help us trouble shoot. I am pretty sure it is the Cisco switches, I just cannot prove it. The logs indicate IP network congestion on the IP trunks everytime the user has an issue, however the user is not using an IP trunk, these are local ext calls. The customer has a feature call Port security on the switches. Does anyone know what that is and if that may have any effect on the Mitel phones? The phones are all 5212 and 5224.
"Voice and Data Solutions"

RE: Port Security and Mitel

Port-security is a layer 2 security feature so it will not be the cause of the call quality issues. Is it the same phone or group of phones each time? I've used Mitel with Cisco in two separate environments and have never had any issues. Can you include a topology of the network?

RE: Port Security and Mitel

It is happening on 2 different sites (MPLS). The funny thing is I get jitter all the time on the WAN. However these are local extension calls internal calling only not across the WAN. Somehow the WAN congestion is affection my (LAN) voice subnet....We have qos enabled and we are using separate VLANS for voice.
"Voice and Data Solutions"

RE: Port Security and Mitel

is the ICP controller and the two phones calling each other on the same site?

RE: Port Security and Mitel

yes. The IP controller is on the same LAN as the phones (it is the DHCP server for the IP phones).
Scope: thru 200
"Voice and Data Solutions"

RE: Port Security and Mitel

I just learned that CDP (Cisco Discovery Protocol) is enabled. IT vendor is stating that it has to be enabled for his Cisco switches. Could this be the issue?
"Voice and Data Solutions"

RE: Port Security and Mitel

Not likely.
Can you provide the switch config, or at least show us the config for a port that has a phone on it?

Frankly, I've seen this situation a lot - blaming switches for problems in call setup doesn't make an enormous amount of sense, so long as you've ruled out the switch config as having any weird stuff in it.

RE: Port Security and Mitel

I suspect this is the default port security aging type and inactivity timeout kicking in and removing the MAC address from the port. for some reason Cisco decided that the default port-security aging type is absolute and not inactivity - i.e. the port learns the MAC address and then the aging timer starts, when the timer expires it removes the MAC address from the port and has to relearn it. I always change this to be an inactivity timer:


switchport port-security aging type inactivity 
I also usually increase the inactivity timer to 10 minutes (the default is 3). If the IP phones don't speak much then 3-minutes might be too short.


RE: Port Security and Mitel

Correct me if I am wrong, but with the default aging-type of "absolute", don't you also get a default timeout of "0 mins", making it permanent anyway?

Also, are you implying the "removing the MAC address from the port" affects the mac-address-table?

If not, I don't see the problem. It will be re-learnt.
But if so, the "unknown" MAC address in the frame's destination field will be TX'd out the correct destination port anyway.

RE: Port Security and Mitel

Port security seems to operate alongside the CAM table and not entirely with it. If you have port security enabled with the default settings (absolute aging type and the default timeout of 3 minutes) then the CAM table is not synchronised with the port-security table (default MAC aging time is 300-seconds, port-security timeout is 180-seconds). I tested this a while ago when we had a fault with some Aastra phones so try it yourself. Configure the default port-security settings on a port and attach an IP device. Start a continuous ping to a device and after each 180-seconds you will loose one as port-security sorts itself out.
This is why I change the aging type to be inactivity and then increase the timeout to be more than the maximum time between the device transmitting. With the Aastra IP Phones (the Ericsson H.323 ones) there is a default keepalive timer that is 10-minutes by default.


Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close