Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Security and Mitel

Status
Not open for further replies.

Telecomp9434

Vendor
Sep 11, 2009
80
US
We have had IP phones deployed through a network of 200 ICP's (5-ICP's) for about 2 years. We were using HP 2620 POE switches with VLAN 180. Everything has been running fine for about two years. The customer replaced all swicthes with Cisco 3750 POE 4 months ago. 2 sites now have constant issues where an extension dials another extension (local ICP) the set rings but they cannot be connected. When the user picks up the handset it keeps ringing. This usually last 10-12 seconds. We have pulled numerous logs with Mitel support, pulled wireshark cpatures, I even hired a Cisco sub contractor to help us trouble shoot. I am pretty sure it is the Cisco switches, I just cannot prove it. The logs indicate IP network congestion on the IP trunks everytime the user has an issue, however the user is not using an IP trunk, these are local ext calls. The customer has a feature call Port security on the switches. Does anyone know what that is and if that may have any effect on the Mitel phones? The phones are all 5212 and 5224.


"Voice and Data Solutions
 
Port-security is a layer 2 security feature so it will not be the cause of the call quality issues. Is it the same phone or group of phones each time? I've used Mitel with Cisco in two separate environments and have never had any issues. Can you include a topology of the network?

 
It is happening on 2 different sites (MPLS). The funny thing is I get jitter all the time on the WAN. However these are local extension calls internal calling only not across the WAN. Somehow the WAN congestion is affection my (LAN) voice subnet....We have qos enabled and we are using separate VLANS for voice.

"Voice and Data Solutions
 
is the ICP controller and the two phones calling each other on the same site?
 
yes. The IP controller is on the same LAN as the phones (it is the DHCP server for the IP phones).
COntroller: 10.185.9.10
Scope:10.185.9.20 thru 200
GW:10.185.9.1



"Voice and Data Solutions
 
I just learned that CDP (Cisco Discovery Protocol) is enabled. IT vendor is stating that it has to be enabled for his Cisco switches. Could this be the issue?

"Voice and Data Solutions
 
Not likely.
Can you provide the switch config, or at least show us the config for a port that has a phone on it?

Frankly, I've seen this situation a lot - blaming switches for problems in call setup doesn't make an enormous amount of sense, so long as you've ruled out the switch config as having any weird stuff in it.
 
I suspect this is the default port security aging type and inactivity timeout kicking in and removing the MAC address from the port. for some reason Cisco decided that the default port-security aging type is absolute and not inactivity - i.e. the port learns the MAC address and then the aging timer starts, when the timer expires it removes the MAC address from the port and has to relearn it. I always change this to be an inactivity timer:
Code:
switchport port-security aging type inactivity
I also usually increase the inactivity timer to 10 minutes (the default is 3). If the IP phones don't speak much then 3-minutes might be too short.

Andy
 
Correct me if I am wrong, but with the default aging-type of "absolute", don't you also get a default timeout of "0 mins", making it permanent anyway?

Also, are you implying the "removing the MAC address from the port" affects the mac-address-table?

If not, I don't see the problem. It will be re-learnt.
But if so, the "unknown" MAC address in the frame's destination field will be TX'd out the correct destination port anyway.
 
Port security seems to operate alongside the CAM table and not entirely with it. If you have port security enabled with the default settings (absolute aging type and the default timeout of 3 minutes) then the CAM table is not synchronised with the port-security table (default MAC aging time is 300-seconds, port-security timeout is 180-seconds). I tested this a while ago when we had a fault with some Aastra phones so try it yourself. Configure the default port-security settings on a port and attach an IP device. Start a continuous ping to a device and after each 180-seconds you will loose one as port-security sorts itself out.
This is why I change the aging type to be inactivity and then increase the timeout to be more than the maximum time between the device transmitting. With the Aastra IP Phones (the Ericsson H.323 ones) there is a default keepalive timer that is 10-minutes by default.

Andy
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top