Two PCs connected with an IP phone
With lock a MAC to a port-VLAN pair feature, you can limit the number of devices connected with an IP phone.
In an above scenario, mixed learn-mode has address limit of three, one static MAC address and two dynamic MAC addresses (PCs). The static MAC address (IP phone) is configured on VLAN 20. The VLAN 20 locks the IP phone and prevents dynamic MAC address learning on same port-VLAN pair. Dynamic MAC addresses are learnt on same port but for VLAN 10.
Sample configuration for two PCs connected with an IP phone:
switch(config)# vlan 10 switch(vlan-10)# untagged 1 switch(vlan-10)# exit switch(config)# vlan 20 switch(vlan-20)# tagged 1 switch(vlan-20)# voice switch(vlan-20)# exit switch(config)# port-security A3 learn-mode mixed switch(config)# port-security A3 address-limit 3 mac-address 000000-000701 vlan-id 20 action send-alarm
switch(config)# show run interface A3 Running configuration: interface A3 tagged vlan 20 untagged vlan 10 port-security learn-mode mixed address-limit 3 action send-alarm mac-address 000000-000701 vlan-id 20 exit switch(config)# show run Running configuration: ; JL254A Configuration Editor; ; Ver #14:27.6f.f8.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:04 hostname "switch" module 1 type jl254a mac-age-time 60 port-security 1 learn-mode mixed port-security 1 address-limit 3 port-security 1 mac-address 000000-000701 vlan-id 20 port-security 1 action send-alarm snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" no untagged 1 untagged 2-52 ip address dhcp-bootp ipv6 enable ipv6 address dhcp full exit vlan 10 name "VLAN10" untagged 1 no ip address exit vlan 20 name "VLAN20" tagged 1 no ip address voice exit