802.1x and Voice VLAN

I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
interface GigabitEthernet9/48
description temporary port
switchport
switchport access vlan 12
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
CIG01-ENT-SW1(config-if)#switchport voice vlan 14
Command rejected: Gi9/48 is Dot1x enabled port.

Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
no ip address
dot1x port-control auto
spanning-tree portfast
end
Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
under the interface configure "dot1x host-mode multi-host"
Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

Similar Messages

Potential Security Hole with 802.1x and Voice VLANs?

I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
Andy

Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy

DHCP and voice vlan on Cisco 3560 switch

Greetings,
I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
1. Using the Cisco 3560 as a DHCP server - Config examples. Do I need to use different subnets for the voice and data vlans?
2. Layer 2 CoS QoS - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
Your assistance will be appreciated.

Hi ,
Cisco recommends that you have a separate vlan for voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
Here is the config guide for setting up IOS DHCP server:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
Here is the LAN qos recommendations:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009

802.1X and automatic vlan assignment

Hello,
I'm testing a 802.1X infrastructure :
Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
Radius Server : Microsoft NPS
DHCP Relay for address assignement by Vlan
I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
The DHCP works fine and the 2 users have an IP.
When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
There are some specifics parameters to add for enable vlan on Mac OS X ?
Thanks for reply
Ben

Edit : It's for wired connections

SF500 48P - Multiple VLANs and Voice VLAN

I have a SF500-48P switch and and have several VLANs on it (over 25 vlans).
Each of these ports shall support also an IPPhone on vlan 4.
I was thinking about using LLDP so I won't have to setup the VLAN manually on each phone.
But when I do here what's happening,
Original configuration:
Port 25:
Vlan 35 untagged
When I plug the phone, the configuration changes to:
Vlan 1 untagged
Vlan 4 tagged
I was expecting the following:
Vlan 35 untagged
Vlan 4 tagged
Note that ports 1-25 have their own individual VLAN and need to be isolated (already done ACL in the router).
I need help,
regards,

What about my other ports that belongs to other Vlans (11-24)?
With the steps you gave me, as soon I connect a Phone, the untagged Vlan becomes 35 for any ports where a phone is connected.
Since I have several Vlans untagged (only 1 per port), I don't want the untagged vlan to be changed by the smartport settings. Is there a way to do that?

802.1x, voice vlan and IP phone

Hi, I reviewed many posts here, and I still need the clarification how 802.1x on the switch works with non-Cisco IP phone (not supporting CDP) and PC connected to the PC port. If I configure 802.1x on a switch port, along with access and voice vlan, next I configure the static voice vlan on the non-Cisco phone, will it be possible to authenticate the user on the PC and bypass authentication for IP phone? Is CDP required in such scenario - (non-Cisco IP phone doesn't support it)?
Regards,
Krzysztof

You need CDP for touchless interop. CDP can of course be spoofed though, so proceed with caustion anyway.
You need multi-domain authentication to appropriately deal with non-Cisco phones and port-based access-control. See here to get started:
<http://www.cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a008077a284.html#wp1231964>
Hope this helps,

SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN

Hi Everyone,
Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
I just got the new SG-300 28P switches. My Bios ordered for me. I did not know how it runs until now... not an IOS based. I really do not know how to configure it.
I have 2 VLAN are Data and Voice.
-          Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
-          Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
-          I created two vlans, in switch, Data and Voice.
-          On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
-          On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
-          On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
-          Port settings No.1
I set it up as Trunk with Data vlan 2 untagged, and 200 Tagged (voice vlan). I plugged in a phone with a pc attached. But the PC will get to the vlan 200 to get the DHCP address, but no from vlan 2. The Phone works with correct vlan ip.
-          Port settings No.2
Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
-          Port settings No.3
Access with 200U...of course the phone will work... and the PC could not get to its own vlan. Instead, the PC got an ip from the voice vlan. Not from VLAN 2.
I have Linksys phone I’m not sure if this help.
For more information I setup in switch,
            - enable voice vlan
- set the port on auto voice vlan
- enable LLDP-MED globally
- create a network policy to assign VLAN 200
- assign this network policy to the port the phone is connected to.
I hope this information help to help me to setup Data and Voice vlans, to plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).

I just got done setting up voice VLANs on an SF 300-24P and verified working. This was working with Cisco 7900 series phones connected to a Cisco UC setup.
Here's my sample config.
Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work. However, this should give you a clue. Also, don't take this as 100% accurate or correct. I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years. I'm a CCNP/CCDP.
VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
VLAN 149 is the data/computer VLAN here.
VLAN 111 is the voice/phone VLAN here.
VLAN 107 does nothing.
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control include-multicast
exit
interface ethernet e2
port storm-control include-multicast
exit
interface ethernet e3
port storm-control include-multicast
exit
interface ethernet e4
port storm-control include-multicast
exit
interface ethernet e5
port storm-control include-multicast
exit
interface ethernet e6
port storm-control include-multicast
exit
interface ethernet e7
port storm-control include-multicast
exit
interface ethernet e8
port storm-control include-multicast
exit
interface ethernet e9
port storm-control include-multicast
exit
interface ethernet e10
port storm-control include-multicast
exit
interface ethernet e11
port storm-control include-multicast
exit
interface ethernet e12
port storm-control include-multicast
exit
interface ethernet e13
port storm-control include-multicast
exit
interface ethernet e14
port storm-control include-multicast
exit
interface ethernet e15
port storm-control include-multicast
exit
interface ethernet e16
port storm-control include-multicast
exit
interface ethernet e17
port storm-control include-multicast
exit
interface ethernet e18
port storm-control include-multicast
exit
interface ethernet e19
port storm-control include-multicast
exit
interface ethernet e20
port storm-control include-multicast
exit
interface ethernet e21
port storm-control include-multicast
exit
interface ethernet e22
port storm-control include-multicast
exit
interface ethernet e23
port storm-control include-multicast
exit
interface ethernet e24
port storm-control include-multicast
exit
interface range ethernet g(1-4)
description "Uplink trunk"
exit
interface range ethernet g(1-4)
switchport default-vlan tagged
exit
interface range ethernet e(21-24)
switchport mode access
exit
vlan database
vlan 107,111,149,199
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 107
exit
interface range ethernet e(21-24)
switchport access vlan 111
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 111
exit
interface range ethernet e(1-20)
switchport trunk native vlan 149
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 149
exit
interface range ethernet g(1-4)
switchport trunk native vlan 199
exit
voice vlan aging-timeout 5
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
voice vlan oui-table add 108ccf MyCiscoIPPhones1
voice vlan oui-table add 40f4ec MyCiscoIPPhones2
voice vlan oui-table add 8cb64f MyCiscoIPPhones3
voice vlan id 111
voice vlan cos 6 remark
interface ethernet e1
voice vlan enable
exit
interface ethernet e1
voice vlan cos mode all
exit
interface ethernet e2
voice vlan enable
exit
interface ethernet e2
voice vlan cos mode all
exit
interface ethernet e3
voice vlan enable
exit
interface ethernet e3
voice vlan cos mode all
exit
interface ethernet e4
voice vlan enable
exit
interface ethernet e4
voice vlan cos mode all
exit
interface ethernet e5
voice vlan enable
exit
interface ethernet e5
voice vlan cos mode all
exit
interface ethernet e6
voice vlan enable
exit
interface ethernet e6
voice vlan cos mode all
exit
interface ethernet e7
voice vlan enable
exit
interface ethernet e7
voice vlan cos mode all
exit
interface ethernet e8
voice vlan enable
exit
interface ethernet e8
voice vlan cos mode all
exit
interface ethernet e9
voice vlan enable
exit
interface ethernet e9
voice vlan cos mode all
exit
interface ethernet e10
voice vlan enable
exit
interface ethernet e10
voice vlan cos mode all
exit
interface ethernet e11
voice vlan enable
exit
interface ethernet e11
voice vlan cos mode all
exit
interface ethernet e12
voice vlan enable
exit
interface ethernet e12
voice vlan cos mode all
exit
interface ethernet e13
voice vlan enable
exit
interface ethernet e13
voice vlan cos mode all
exit
interface ethernet e14
voice vlan enable
exit
interface ethernet e14
voice vlan cos mode all
exit
interface ethernet e15
voice vlan enable
exit
interface ethernet e15
voice vlan cos mode all
exit
interface ethernet e16
voice vlan enable
exit
interface ethernet e16
voice vlan cos mode all
exit
interface ethernet e17
voice vlan enable
exit
interface ethernet e17
voice vlan cos mode all
exit
interface ethernet e18
voice vlan enable
exit
interface ethernet e18
voice vlan cos mode all
exit
interface ethernet e19
voice vlan enable
exit
interface ethernet e19
voice vlan cos mode all
exit
interface ethernet e20
voice vlan enable
exit
interface ethernet e20
voice vlan cos mode all
exit
interface ethernet e1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e5
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e6
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e7
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e8
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e9
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e10
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e11
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e12
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e13
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e14
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e15
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e16
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e17
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e18
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e19
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e20
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e21
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e22
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e23
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e24
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e1
lldp med notifications topology-change enable
exit
interface ethernet e2
lldp med notifications topology-change enable
exit
interface ethernet e3
lldp med notifications topology-change enable
exit
interface ethernet e4
lldp med notifications topology-change enable
exit
interface ethernet e5
lldp med notifications topology-change enable
exit
interface ethernet e6
lldp med notifications topology-change enable
exit
interface ethernet e7
lldp med notifications topology-change enable
exit
interface ethernet e8
lldp med notifications topology-change enable
exit
interface ethernet e9
lldp med notifications topology-change enable
exit
interface ethernet e10
lldp med notifications topology-change enable
exit
interface ethernet e11
lldp med notifications topology-change enable
exit
interface ethernet e12
lldp med notifications topology-change enable
exit
interface ethernet e13
lldp med notifications topology-change enable
exit
interface ethernet e14
lldp med notifications topology-change enable
exit
interface ethernet e15
lldp med notifications topology-change enable
exit
interface ethernet e16
lldp med notifications topology-change enable
exit
interface ethernet e17
lldp med notifications topology-change enable
exit
interface ethernet e18
lldp med notifications topology-change enable
exit
interface ethernet e19
lldp med notifications topology-change enable
exit
interface ethernet e20
lldp med notifications topology-change enable
exit
interface ethernet e21
lldp med notifications topology-change enable
exit
interface ethernet e22
lldp med notifications topology-change enable
exit
interface ethernet e1
lldp med enable network-policy poe-pse
exit
interface ethernet e2
lldp med enable network-policy poe-pse
exit
interface ethernet e3
lldp med enable network-policy poe-pse
exit
interface ethernet e4
lldp med enable network-policy poe-pse
exit
interface ethernet e5
lldp med enable network-policy poe-pse
exit
interface ethernet e6
lldp med enable network-policy poe-pse
exit
interface ethernet e7
lldp med enable network-policy poe-pse
exit
interface ethernet e8
lldp med enable network-policy poe-pse
exit
interface ethernet e9
lldp med enable network-policy poe-pse
exit
interface ethernet e10
lldp med enable network-policy poe-pse
exit
interface ethernet e11
lldp med enable network-policy poe-pse
exit
interface ethernet e12
lldp med enable network-policy poe-pse
exit
interface ethernet e13
lldp med enable network-policy poe-pse
exit
interface ethernet e14
lldp med enable network-policy poe-pse
exit
interface ethernet e15
lldp med enable network-policy poe-pse
exit
interface ethernet e16
lldp med enable network-policy poe-pse
exit
interface ethernet e17
lldp med enable network-policy poe-pse
exit
interface ethernet e18
lldp med enable network-policy poe-pse
exit
interface ethernet e19
lldp med enable network-policy poe-pse
exit
interface ethernet e20
lldp med enable network-policy poe-pse
exit
interface ethernet e21
lldp med enable network-policy poe-pse
exit
interface ethernet e22
lldp med enable network-policy poe-pse
exit
lldp med network-policy 1 voice vlan 111 vlan-type tagged
interface range ethernet e(1-22)
lldp med network-policy add 1
exit
interface vlan 199
ip address 199.16.30.77 255.255.255.0
exit
ip default-gateway 199.16.30.3
interface vlan 1
no ip address dhcp
exit
no bonjour enable
bonjour service enable csco-sb
bonjour service enable http
bonjour service enable https
bonjour service enable ssh
bonjour service enable telnet
hostname psw1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
management access-list Management1
permit ip-source 10.22.5.5 mask 255.255.255.0
exit
logging 199.16.31.33 severity debugging description mysysloghost
aaa authentication enable Console local
aaa authentication enable SSH tacacs local
aaa authentication enable Telnet local
ip http authentication tacacs local
ip https authentication tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password admin
exit
line ssh
login authentication SSH
enable authentication SSH
password admin
exit
line console
login authentication Console
enable authentication Console
password admin
exit
username admin password admin level 15
power inline usage-threshold 90
power inline traps enable
ip ssh server
snmp-server location in-the-closet
snmp-server contact [email protected]
ip http exec-timeout 30
ip https server
ip https exec-timeout 30
tacacs-server host 1.2.3.4 key spaceballz timeout 3 priority 10
clock timezone -7
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 199.16.30.1
sntp server 199.16.30.2
ip domain-name mydomain.com
ip name-server 199.16.5.12 199.16.5.13
ip telnet server

Passing voice and data Vlans on Cisco SG200-08P help

Hello All,
I'm struggling with a configuration issue on the Cisco SG200-08P.
We are using the Cisco SG200-08P on a mobile cart that will go from class room to class room that will have computer and cisco Voip phone plugged into it. The issue is that each of our closets are in differnt VLANS ( 1 voice and 1 data....lets say data vlan 20 and voice vlan 2025 for conversation) and that we route to each closet.
It would be great if I could just create a generic data and voice vlan to dynamically pick up what the upstream switch has however, it seems that I've been unsuccessful in doing so.
So far I can pass the data Vlan no probablem. The upstream switch port is set to access port and a switch port access voice vlan (these are 3750x switches)
If the above is not possible I guess I will take what I can get. Should I just create data vlan 20 and voice vlan2025 on the Cisco SG200-08P and make a trunk port on the Cisco SG200-08P and a trunk on the 3750x? Is there an option on the Cisco SG200-08P to tag voice traffic?
I'm also concerned with VTP and I did not see an area in the Cisco SG200-08P to set that as a client and transparent mode.
Thanks for any help,
Dan

On a Catalyst switch, when a port is defined as a trunk without a vlan specified on the port, all vlan pass through the port. On a small business switch it is nearly the opposite. You must specify the vlans on the links. Additionally, ingress filter discards anything not associated to the port.
802.1q specifies there must be an untagged vlan which is the native vlan (of course you can make exceptions, tagging the default vlan..).
One thing I did in the past with a 2960, I made an LLDP network policy and it basically "provisioned" the downstream switch connecting link and voice vlan. That may be another idea for you.
Here's a link that may be useful-
https://supportforums.cisco.com/message/3811376
Here is the 2960 config I used to feed a SB switch voice info
Switch#show run
Building configuration...
Current configuration : 2206 bytes
! Last configuration change at 00:41:16 UTC Mon Mar 1 1993
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
vtp mode transparent
network-policy profile 1
voice vlan 100 cos 4
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 2
name test
vlan 100
lldp run
interface FastEthernet0/1
network-policy 1
spanning-tree portfast
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
interface FastEthernet0/5
interface FastEthernet0/6
interface FastEthernet0/7
interface FastEthernet0/8
interface FastEthernet0/9
interface FastEthernet0/10
interface FastEthernet0/11
interface FastEthernet0/12
interface FastEthernet0/13
interface FastEthernet0/14
interface FastEthernet0/15
interface FastEthernet0/16
interface FastEthernet0/17
interface FastEthernet0/18
interface FastEthernet0/19
interface FastEthernet0/20
interface FastEthernet0/21
interface FastEthernet0/22
interface FastEthernet0/23
interface FastEthernet0/24
interface FastEthernet0/25
interface FastEthernet0/26
interface FastEthernet0/27
interface FastEthernet0/28
interface FastEthernet0/29
interface FastEthernet0/30
interface FastEthernet0/31
interface FastEthernet0/32
interface FastEthernet0/33
interface FastEthernet0/34
interface FastEthernet0/35
interface FastEthernet0/36
interface FastEthernet0/37
interface FastEthernet0/38
interface FastEthernet0/39
interface FastEthernet0/40
interface FastEthernet0/41
interface FastEthernet0/42
interface FastEthernet0/43
interface FastEthernet0/44
interface FastEthernet0/45
interface FastEthernet0/46
interface FastEthernet0/47
interface FastEthernet0/48
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan100
no ip address
ip http server
ip http secure-server
logging esm config
line con 0
line vty 5 15
end
Switch#
-Tom
Please mark answered for helpful posts

Best Practices to separate voice and Data vlans

Hello All .
I am coming to the community to get some advices on a specific subject .
One of my customer is actually using vlan access-list to isolate it is data from it is voice vlan traffic .
As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
thanks
Regards
T.

thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
Access Switches: 3560
Distro: 4500 or 6500
FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.

Configure Voice and Data VLAN in CISCO SF 300 8P

I have a couple of Cisco SF 300 8P and 24 P Switches. I have voice and Data VLAN configured as :
Data VLAN : Default 145.17.59.0/24
Voice VLAN : VLAN 20 172.22.20.0/24
I have different DHCP servers as for Data VLAN we have physical server which is configured for 145.17.59.* IP Scope and Voice VLAN DHCP Server is configured in Gateway router with option 150.
This configuation works fine with other cisco swiches like 2960 and 3750 etc except CISCO SF 300 8P and 24P. I was trying to configure both voice and Data VLAN in these CISCO Switches so that CISCO phone (Model 6941) shold get IP from Voice VLAN and PC should get IP from Data VLAN DHCP Server. I have tried several techniques like LLDP, Port to VLAN Config etc.
Can anyone please guide me/help on this.
Regards,
A K.M.Sayeed

Hi A.K.M., with Cisco phones you should be able to simply set auto voice VLAN to be VLAN20.
voice vlan id 20
You should ensure CDP and/or LLDP are enabled as well. I would check this in web GUI. DHCP for the phones can come from the switch, a DHCP server on a VLAN20 access port or you can use dhcp helper to redirect DHCP to server elsewhere.
If you prefer or have issues with CDP or LLDP you can also program ports as trunks and add tagged VLAN 20 to them. In this scenario you need to insure inter-vlan routing is working and that phones download config file with corrrect VLAN config.
These switches do not run ios so they are similar but different than catalyst switches you referred to.
-- please remember to rate helpful posts --

802.1x and IP Phone

Is it possible to enable dot1x and voice on the same interface? If so which switches and IOS support this feature ?
Any references to documents ?
Commands that cannot be configured together :-
switch voice vlan xxx
dot1x port-control auto

It is possible to enable 802.1X and voice on the same port. If the phone does CDP, it is allowed through, regardless of the 802.1X state of the port with this config. Here's the following switches that support this, with the minimum required releases:
CatOS (6500) - 7.6(1)
IOS (4500) - 12.1(20)EWA
IOS (3750) - 12.2(25)SEA
IOS (3560) - 12.2(25)SEA
IOS (3550) - 12.1(12c)EA1
IOS (2960) - 12.2(25)FX
IOS (2950) - 12.1(12c)EA1
IOS (2940) - 12.1(13)AY
Hope this helps,

Switchport voice vlan : untagged / none / dot1p

Hope anyone can shed light on this.
When "switchport voice vlan <keyword>" is configured, a Cisco IP Phone will be instructed via CDP how to deal with voice frames. According to CCNP BCMSN Official Certification Guide, a diagram suggests that when using "untagged" as keyword, IP Phone will use a Special 802.1Q trunk case so that 802.1p bits can be set. It also shows a table which seems to contradict the diagram as the CoS bits column indicates no 802.1p bits are set.
So, can any one tell me the difference in terms of 802.1Q, 802.1p, and native vlan how each mode:untagged/dot1p goes about?
My understanding is that with dot1p IP Phone will use 802.1Q using VLAN 0 (null or "native" vlan) merely for frames to be prioritized using 802.1p bits. As for "untagged" mode, I read somewhere that IP Phone would also use 802.1Q vlanid=1025, again, just for 802.1p bits to be set. But "untagged" seems to me like "none" when it comes to how the IP PHone will forward its voice frames.
Thank you!

My understanding is the following:
with dot1Q - it will trunk using dot1q encapsulation
with dot1p - it will use ISL encapsulation
with untagged - native VLAN configured on the port.
This is how it works:
This is how PC at the back of IP Phone works:
Once native is configured switch will communicate with PC with no vlan tags but will add NATIVE VLAN TAG when packets are forwarded to the LAN. SO when you configure NATIVE VLAN - this is the VLAN that switch add the tag into packets.
At the same time once tagged packets with NATIVE VLAN arrive to switch port destined to PC, switch will remove trunking enxapsulation (otherwise packets will be discarded by PC) and will send packets to PC
Similar rule is applicable to IP Phone.
Regards,
Vakhtang

802.1X with Guest vlan support IOS version ???

I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
please reply to my question.

Tkank for your help.
Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
ex) TW_14F_A_C2950_32.8#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
Model number: WS-C2950-24
please, reply for my question

SG 200 50-P Voice Vlan

Hi all,
I am not familiar with the graphical interface of the SG 200-50P but I need to configure a dual data and voice vlan on a port.
I disabled globally the smarport and Auto Voice Vlan feature on the switch.
Data Vlan : 2
Voice Vlan: 3
All ports connected between the switches and to the Virtual Machine DHCP server are configured as trunk with the Vlan 2 and 3 "TAGGED"
If I connect an IP phone to a trunk port (Vlan 2 Untagged and Vlan 3 Tagged) which i think thats the appropriate way to do it, the phone will get an IP from the scope of the data vlan (192.168.1.x/24).
If I connect the IP phone to a trunk port (Vlan 2 Tagged and Vlan 3 Untagged), the phone will get an IP from the Voice vlan scope (192.168.3.x/24) but the PC attached to the phone will also have an IP from the voice vlan scope.
Please advise

For that problem I configured the following:
Port mode to "General":
vlan2 unttaged
vlan3 tagged
At Media VLan I enabled the Application "voice" and "voice signaling" for that port

Phone not picking up Voice VLAN

Hi All,
Strange issue that's just started happening with a few 6921 phones.
On our cisco switch when port is configured with data and voice vlan, the phone picks up an IP address from the data vlan and in turn doesn't register. It's as if it doesn't see the voice vlan. As soon I remove the data vlan and have voice vlan only on the port, phone picks up IP from the voice network and registers against the CME. This all worked before on the same ports, nothing changed. It just suddenly stopped working.
Anyone seen this before?
Thanks

Hi,
Ok first output is when the phone doesn't work. VLAN 7 is the data vlan and 81 is Voice on this LAN.
interface FastEthernet2/0/39
description IP and Data Port
switchport access vlan 7
switchport mode access
switchport voice vlan 81
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Output below is when the phone does work.
interface FastEthernet2/0/39
description IP and Data Port
switchport mode access
switchport voice vlan 81
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
end
And this did work previously. Only 6921 phones affected.

802.1x and Voice VLAN

Similar Messages

Maybe you are looking for