About SRW224G4P Voice vlan issue

Hi,
I've configured the SRW as many vlan, use vlan 212 for voice, 348 for data and connect with cisco IP Phone.
vlan database
vlan 210-216,345-348
exit
voice vlan id 212
interface fastethernet1
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 212
switchport trunk native vlan 348
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
but when I show voice vlan,
it shows:
=====================================
1ASW01#show voice vlan
Administrate Voice VLAN state is auto-triggered
Operational Voice VLAN state is auto-enabled
Best Local Voice VLAN-ID is 212
Best Local VPT is 5 (default)
Best Local DSCP is 46 (default)
Agreed Voice VLAN is received from switch 34:62:88:73:05:c9
Agreed Voice VLAN priority is 0 (active static source)
Agreed Voice VLAN-ID is 216
Agreed VPT is 5
Agreed DSCP is 46
Agreed Voice VLAN Last Change is 03-May-13 05:06:31
=====================================
I don't know why vlan 216 become the voice vlan ?
I've tried the modified the macro build-in parameters,
macro auto built-in parameters ip_phone $native_vlan 348
macro auto built-in parameters ip_phone_desktop $native_vlan 348
but system could not modify $voice_vlan value.
how to fix it ?

Hi Skywings,
So I am guessing the above output is after the change, right? If this is true it looks like something went wrong during the configuration process. Auto Voice VLAN process has two main phases where the first one is related to communication between switches and other Cisco infrastructure devices and synchronizing the Voice VLAN ID. The second phase is related to identifying the end device as phone. What I can see in your case that the first phase is failing somehow since the voice VLAN ID is different than locally configured. Can you share with me your running and also startup config plus CDP neighbours? You may use private message.
Regards,
Aleksandra

Similar Messages

302-08MP Voice Vlan issue

Hi,
I have a 302-08Mp attached to my network, it is plugged directly into a C3560G, however when i plug a phone into this switch i get a 'configuring ip' message up on the phone. The voice vlan is set identical to the 3560 but in the logs i get an error message stating
%CDP-W-VOICE_VLAN_MISMATCH: voice VLAN mismatch detected on interface gi1.
Can anyone help me solve this issue?
Thanks in advance

Tom,
Sorry for teh delay i needed to get someone at the remote location i could trust to reboot the unit. The voice vlan is 20 and the rest run on vlan 1
the 302 is set as
interface gigabitethernet1
macro description "switch | no_switch | switch | no_switch | switch | no_switch
| switch | no_switch | switch | no_switch | switch | no_switch"
exit
macro auto disabled
macro auto processing type host enabled
macro auto built-in parameters ip_phone_desktop $max_hosts 10 $native_vlan 1
and runs sw version 1.1.2.0
the 3560 is set
interface GigabitEthernet0/3
description Link to SW3
power inline never
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 20
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust interface GigabitEthernet0/3
description Link to SW3
power inline never
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 20
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
Thanks

SRW224G4P : voice vlan problem

Hi guys ,
i've a problem with tagged vlan with my SRW224G4P.
I,ve got following scenario:
one cisco 2801-CCME/k9 router
one cisco small business SRW224G4P layer 2 managed switch
ten cisco IP phone 7940 and 7931
ten personal computer
I need to use the embedded switch on the phone to connect computer . I need to
have 2 separated vlan for data and voice traffic.
I configured srw224g4p first 12 ports as follows
interface ethernet 1/x
switchport allowed vlan add 199 untagged
switchport native vlan 199
switchport allowed vlan remove 1
switchport mode hybrid
switchport allowed vlan add 150 tagged
spanning-tree cost 100000
spanning-tree edge-port
where vlan 199 is for data and vlan 150 is for voice .
I set following dhcp pool on 2801
ip dhcp pool phones
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
domain-name cmedeis.local
option 150 ip 192.168.150.1
ip dhcp pool PC
network 192.168.199.0 255.255.255.0
default-router 1982.168.199.1
and configured router on a stick as follows
interface FastEthernet0/0.150
description CME interface
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
interface FastEthernet0/0.199
encapsulation dot1Q 199
ip address 192.168.199.1 255.255.255.0
My problem is that phones connected to the switch ports doesn't recognize tagged
traffic and doesn't take ip of the corrected dhcp pool of 150 vlan.
With a cisco 2960 poe switch i configured switchport voice vlan 150 and
switchport access vlan 199 and all is fine but this small business switch don't
handle switchport voice attribute and i can't separate voice and data vlan .
Someone have idea how to avoid this problem?
Need some help , please.
Bye

Good posts as always Christopher!
As Christopher mentions you will need to hard code the voice vlan on all of the phones. The phones will send the voice traffic via this vlan, and the PCs will send untagged traffic.
I hope you do not mind a tangent and I hope this is not too great of a distraction, but the thought of QoS and security came to my mind as I read this post.
Besides the vlan problems, which I am sure we can get through, there is also a concern.
Any chance you would consider a 3560 for this deployment? You have quite a few Cisco phones, a Cisco router, and many PCs. The Cisco switch would give you CDP, which would be useful for the voice vlan and power settings, as well as the important automatic QoS and security settings.
On my 3560, I applied a smart port macro. A smart port macro is a series of best practices / command sets put into a simple to use command. The one I applied is called cisco-phone. Here is the output before and after:
c3560(config)#do sho run int f0/18
interface FastEthernet0/18
end
c3560(config)#int f0/18
c3560(config-if)#macr app cisco-phone
c3560(config-if)#sw voice vlan 5
c3560(config-if)#sw ac vl 1
c3560(config-if)#do sho run int f0/18
interface FastEthernet0/18
switchport mode access
switchport voice vlan 5
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
end
The switch automatically globally enabled mls qos and configured the many class-maps, policy-maps, and applied them all accordingly. As you know, it is important to establish the trust boundaries when doing voice and QoS. These switches also uses SRR which is a very good way of applying shaping.
Does this help? I hope so. Please fire back any thoughts or questions you may have.
Andrew Lee Lissitz

SG300-28P Voice VLAN issue

Hi,
I was running firmware 1.1.2.0 and everything was working fine on 2 of these switches, connected via fiber. I tried upgrading to the latest firmware (1.3.5.58) and had no luck. Our phones which are Avaya 9650 VOIP handsets could not find the router, would not find DHCP, and were waiting for LLDP. The update was only applied on the further away switch from the PBX, yet it still messed up the other switch. I put the firmware back to the original active version and everything started working again.
Nothing else changed except when I rolled back from the firmware version It left any phones plugged in to ports, it changed their tagging to untagged. I put this back and everything worked fine.
Is there an incompatiblity with this firmware with my phones, or what else could be the problem?

https://supportforums.cisco.com/search.jspa?peopleEnabled=true&userID=&containerType=14&container=2141&spotlight=true&q=1.2.7.76+xml
If you want to dig through some posts.
I'm sure could find some. It looks like the 1.2.7.76 release notes were removed off the download page even.
-Tom
Please mark answered for helpful posts

Voice VLAN with SRW224G4P

Hi all,
I have been trying to config a voice vlan into this switchs for the last 3 hours and for me this is impossible... I know how to do in a IOS switch but with this switchs is a nightmare...
I have this topology,
PC ---- IP phone ----- SW1 SRW224G4P -------- SWCORE SRW2024 --------- Router 2921 CME
I have this config in my router,
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description LAN
encapsulation dot1Q 1 native
ip address 192.168.5.95 255.255.255.0
ip virtual-reassembly in
interface GigabitEthernet0/0.100
description Voice VLAN
encapsulation dot1Q 100
ip address 192.168.251.1 255.255.255.0
ip virtual-reassembly in
SW1 has created the VLAN 100 and enabled as VOICE VLAN
The first 3 octes of the mac of my phone is inserted into Telephony OUI Table
The Auto Voice VLAN Membership is enabled in the port where phone is attached.
The port that is conected to SWCORE has the vlan 100 configured as tagged.
SWCORE has created the VLAN 100 and enabled as VOICE VLAN
The port that is conected to SW1 has the vlan 100 configured as tagged.
The port that is conected to router CME has the vlan 100 configured as tagged.
If I config other port into SWCORE with VLAN 100 tagged I can ping from CME to that host.
Could be the problem a vlan propagation error?
Somebody could help me? I am desperate...
Thank you in advance.

Hi David,
Thank you for the purchase of the switch.
.Like anything, even riding a bike, the switch is actually very easy to configure, if you have a little bit of practice on it..
You mentioned you are using the " Telephony OUI Table" i guess you have a SF300-24P or ordering p/n SRW224G4P-K9-NA. Please be specific with the switch models you are using.
Are you using the older SRW series or the refreshed SRWxxx-K9 (300 series) switch in the core?
Firstly, make sure you are using version 1.1.0.73 of the switch firmware. Do that change now or verify that 1.1.0.73 is the active image on the switch.
The switch has two areas for storing firmware images. It stores the new firmware in the unused image area. Check the administration guide for how to upgrade firmware and select new firmware for the next reboot.
CDP is enabled on the switch when you use the new software, it was not there with older firmware, hence my insistance at upgrading firmware.
( Personally i would prefer you to have a catalyst switch for your ISRG2 CME application, for tech support purposes. But this is the land of the free..)
I found the following when I added my SG300-28P to a VLAN aware UC500.
The UC500 was advertising vlan100 as a voice vlan, configured that by Cisco Configuration Assistant, you might try CCP on your ISR.
I had a IP phone plugged into switch port G7 and a uplink to my UC500 via port Gig27.
The following in blue is a screen copy from my 300 series switch CLI interface.
You will note the switch automatically populated both VLAN and port information, the only command I added was "no passwords complexity enable," and some usernames, which removed from the screen capture below.
the switch basically configured itself.
------------------ show system ------------------
System Description:                       28-port Gigabit PoE Managed Switch
System Up Time (days,hour:min:sec):       00,00:12:04
System Contact:
System Name:                              switch4cf17c
System Location:
System MAC Address:                       d0:d0:fd:4c:f1:7c
System Object ID:                         1.3.6.1.4.1.9.6.1.83.28.2
Fans Status:                              OK
------------------ show version ------------------
SW version   1.1.0.73 ( date 19-Jun-2011 time 18:10:49 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version    V01
Gateway IP Address        Activity status       Type
192.168.10.1            Active                  dhcp
    IP Address         I/F       Type       Status
192.168.10.17/24    vlan 1    DHCP        Valid
------------------ show ipv6 interface ------------------
IPv6 is disabled on all interfaces
------------------ show running-config ------------------
interface gigabitethernet7
storm-control broadcast level 10
exit
interface gigabitethernet7
storm-control include-multicast
exit
interface gi27
spanning-tree link-type point-to-point
exit
vlan database
vlan 100
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switch4cf17c
no passwords complexity enable
no snmp-server server
interface gigabitethernet7
macro description ip_phone_desktop
exit
interface gigabitethernet27
macro description "switch | no_switch | switch"
exit
interface gigabitethernet7
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
switchport trunk allowed vlan add 100
exit
interface gigabitethernet27
!next command is internal.
macro auto smartport dynamic_type switch
switchport trunk allowed vlan add 100
exit
switch4cf17c#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone
                  M - Remotely-Managed Device, C - CAST Phone Port,
                  W - Two-Port MAC Relay
Device ID        Local      Adv Time To Capability   Platform     Port ID
                   Interface Ver. Live
SEP503De50F133A      gi7      2     158      H P     CISCO IP        eth0
                                                     Phone
                                                     SPA525G2
68bdab0fdcfd        gi27      2     169      S I     Cisco SG         gi9
                                                     300-10P
                                                                                           (PID:SRW2008P-K9)-VSD
switch4cf17c#sh vlan
Vlan       Name                   Ports                Type     Authorization
1           1                gi1-28,Po1-8           Default      Required
100         100                 gi7,gi27            permanent    Required
Switch automatically figures which ports should be tagged into VLAN 100.
I did not tell the switch it was connected to VLAN100. I did not add vlan100 to the VLAN database.
So get the ISR router to advertise VLAN100 as a voice vlan.
regards Dave

SG500 auto voice VLAN question about native VLAN

I have been installing SG300 and SG500 switches and using the auto voice vlan feature by simply changing voice vlan to 100 and using vlan 1 for default and data. I normally put the switch in L3 mode and make an access porteach for my IP PBX (vlan 100) and one to connect to existing data network (vlan 1). Then I make a static route in customers default gateway to route back to vlan 100 and everything works nicely for most installs.
On my last install I decided to try to change the default vlan 1 to vlan 10 and go with 10 for data and 100 for voice. The problem I ran into was that the auto generated config on my phone switchports still use vlan 1 as native vlan. I am trying to find a way to still use auto vlan and get the desired native vlan without having to make manual config changes.
Should this be possible?
Thanks in advance.

Hi Brandon, you need to modify the macro from native vlan 1 to vlan 10.
Check out this topic how to modify the macro
https://supportforums.cisco.com/thread/2177613
-Tom
Please mark answered for helpful posts

About voice vlan

I configured switch1 and switch3. Between switch1 and switch3 (via fiber patch cable) both access and voice vlan are working. But when i put switch 2 between sw 1and sw 3 voice vlan not working. Is it possible?

switch2:
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode dynamic desirable
end
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode dynamic desirable
end

Cisco sg200 voice vlan dhcp issue

i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
two switches are connected via trunk ports and allowed vlan 1&2
ip phone is connected to sg200 via access port (vlan 2) -
note - there is no pc connected to ip phone
I really appreciate if anyone can help me with this issue

Hi Tom
Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 ) according to your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch.
The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
I think its not valid for Small business switches . Anyway, when i make the said port TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not get an IP address from my DHCP server then.
Can you help me with this if I am missing some configuration. Thank you once again

SUP failed over manually, voice service failed after FAILOVER, started accessing old voice vlan which was removed from config

Hey guys,
I am pretty sure, my subject is kinda confusing. Sorry about that. Here is what happened.
1. 4510r with Supervisor V 1000BaseX, switched over to standby Sup, then reseated Active SUP, once reseat complete, switched again to get the reseated SUP up and running as Active SUP.
2. a simple maintenance which was supposed to cause no outage and it did not cause any outage as well.
3. however, what i did not notice was, even though the voice vlan was configured to access 2353, they were accessing vlan 453.
4. the change was made 2 weeks prior to this maintenance where voice vlans were previously accessing 453 and they were all changed to access 2353. configs were saved.
5. however, after the maintenance, the running config showed that they were acessing 2353 but when checking the mac address on the interface, it was seen accessing 453.
6. the fix was to remove the config and re add it , that fixed it.
Has anyone else experienced the issue ? What really happened there ?
software version: Version 15.0(2)SG5
#sh module
Chassis Type : WS-C4510R
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor V 1000BaseX (GBIC) WS-X4516
2 2 Supervisor V 1000BaseX (GBIC) WS-X4516
3 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
5 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
6 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
7 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
8 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
9 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V

configs were saved many times prior to the maintenance. i did a " write mem ".

7936 not showing software version and vlan issue

I have a 7936 that does not show the software version. I have installed the newest load on the callmanager, but still cannot see what version it is running on the phone.
My main issue with the phone is that I have to set the switchport access vlan to the voice vlan, if I try to let the phone use the swithport voice vlan, it will pull an IP address off of the data vlan and not the voice vlan.
Any help with either of these issues would be greatly appreciated. I do rate all helpful posts.
Thanks,
Robert

Hi Robert,
Here is some info that may help;
Verifying Firmware Version Information
You can obtain information about the firmware version installed on the IP Conference Station.
Follow these steps to verify the firmware version on an IP Conference Station:
Step 1 Press the Menu button.
Step 2 Press the Up or Down scroll button to select the Admin Setup menu.
Step 3 Press the Select button.
Step 4 Enter the administrator password. (The default administrator password is **#.)
Step 5 Press the Enter softkey.
Step 6 Press the Up or Down scroll button to select System Information.
Step 7 Press the Select button.
Step 8 Press the Up or Down scroll button to select SW Version.
The firmware version number is displayed.
Or if that is not working try accessing this way;
Using the Web Interface
Follow these steps to access the Cisco IP Conference Station 7936 web interface:
Step 1 Open your web browser.
Step 2 In the address field enter:
http:// IP address of the IP Conference Station:
Configuration information applies to the specific IP Conference Station associated with the IP address you enter.
Note If you changed the HTTP port number, you need to use that number as a suffix to the IP address. If you did not change the HTTP port number, then you do not need to enter a suffix.
The web interface appears, and the initial login page is displayed.
Step 3 To log in as the administrator, enter the administrator password and click Login.
The default administrator password is **#.
Note When logged in to the IP Conference Station web pages, the web pages will time out after approximately 20 minutes of inactivity. You will then have to log back in.
Step 4 To log off, click Administrator Logout.
Information Available on All Web Pages
The top right portion of the Cisco IP Conference Station 7936 web interface includes a separate section that displays consistent information for all of the web pages.
This section contains the following information; example text appears next to each item in the list:
Software Version: 3.3(2.00)
Protocol Type: SCCP
Boot Load ID: PC0503031418
Application Load ID: CMTERM_7936.3-3-2-0
IP Address: 10.1.1.11
MAC Address: 00c742655892
Local Number: 2022
As far as the VLAN issue goes, this has always been the case for our 7935's as well and I'm sure the 7936 is the same.
Switchport mode access
Switchport access VLAN XXX
Hope this helps!
Rob
Please remember to rate helpful posts........

Cisco voice vlans w/ nortel VOIP system

Hello everyone,
I am going to segment a network with a Nortel VOIP system. Right now, the network is completely flat with PCs plugged into the back of the nortel phones. I would like to set up a voice vlan for the nortel phones but am not sure if voice vlans will work w/ non-cisco phones (cdp). Please provide me some insight if you can. Thanks!

If your are Using Recent Cisco Switches it is quite easy.
Using 4006 SUP III core switches or 3560 PSE's should be okay.
If you have Nortel Phase II phones they can also be powered by the 802.3 cisco switches with no probs.
Anyway set the switchport mode to switchport voice vlan. Set spanning tree portfast and configure qos as you see fit on the port. Configure the voice vlan on the switch eg switchport voice vlan 111. You may need to configure the port to switchport mode dynamic desriable as well. Some older switches may have problems but you can enable trunking to cheat and then a default vlan for the pc on the switchport
As regards to the phones when the phone reboots and you enter the configuration mode via flipping the 4 soft keys. You should then see the vlan option and configure the same vlan number on the phone as the cisco switch eg 111.
The phone should then register again without any problems. All i2002/i2004 firmware for last 2 years has the vlan option. I looked after about 400 nortel phones all on cisco switches of various ages with only minor setting up issues.
Best of luck
Simon

QoS / Native VLAN Issue - Please HELP! :)

I've purchased 10 Cisco Aironet 2600 AP’s (AIR-SAP2602I-E-K9 standalone rather than controller based).
I’ve configured the WAP’s (or the first WAP I’m going to configure and then pull the configuration from and push to the others) with 2 SSID’s. One providing access to our DATA VLAN (1000 – which I’ve set as native on the WAP) and one providing access to guest VLAN (1234). I’ve configured the connecting DELL switchport as a trunk and set the native VLAN to 1000 (DATA) and allowed trunk traffic for VLAN’s 1000 and 1234. Everything works fine, when connecting to the DATA SSID you get a DATA IP and when you connect to the GUEST SSID you lease a GUEST IP.
The problem starts when I create a QoS policy on the WAP (for Lync traffic DSCP 40 / CS5) and try to attach it to my VLAN’s. It won’t let me attach the policy to VLAN 1000 as it’s the native VLAN. If I change VLAN 1000 on the WAP to NOT be the native VLAN I can attach the policies however wireless clients can no longer attach to either SSID properly as they fail to lease an IP address and instead get a 169.x.x.x address.
I'm sure I'm missing something basic here so please forgive my ignorance.
This is driving me insane!
Thanks to anyone that provides assistance. Running config below and example of the error...
User Access Verification
Username: admin
Password:
LATHQWAP01#show run
Building configuration...
Current configuration : 3621 bytes
! Last configuration change at 02:37:59 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
no ip routing
dot11 syslog
dot11 vlan-name Data vlan 1000
dot11 vlan-name Guest vlan 1234
dot11 ssid LatitudeCorp
   vlan 1000
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii
dot11 ssid LatitudeGuest
   vlan 1234
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii
crypto pki token default removal timeout 0
username admin privilege 15 password!
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
no dfs band block
stbc
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
ip address 10.10.1.190 255.255.254.0
no ip route-cache
ip default-gateway 10.10.1.202
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
LATHQWAP01#conf
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
LATHQWAP01(config)#int dot11radio1.1000
LATHQWAP01(config-subif)#ser
LATHQWAP01(config-subif)#service-policy in
LATHQWAP01(config-subif)#service-policy input Lync
set cos is not supported on native vlan interface
LATHQWAP01(config-subif)#

Hey Scott,
Thank you (again) for your assistance.
So I' ve done as instructed and reconfigured the WAP. I've added an additional VLAN (1200 our VOIP VLAN) and made this the native VLAN - so 1000 and 1234 are now tagged. I've configure the BVI interface with a VOIP IP address for management and can connect quite happily. I've configured the connecting Dell switchport as a trunk and to allow trunk vlans 1000 (my DATA SSID), 1200(native) and 1234 (MY GUEST SSID). I'm now back to the issue where when a wireless client attempts to connect to either of my SSID's (Guest or DATA) they are not getting a IP address / cannot connect.
Any ideas guys? Forgive my ignorance - this is a learning curve and one i'm enjoying.
LATHQWAP01#show run
Building configuration...
Current configuration : 4426 bytes
! Last configuration change at 20:33:19 UTC Mon Mar 1 1993 by Cisco
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
enable secret 5
no aaa new-model
no ip source-route
no ip cef
dot11 syslog
dot11 vlan-name DATA vlan 1000
dot11 vlan-name GUEST vlan 1234
dot11 vlan-name VOICE vlan 1200
dot11 ssid LatitudeCorp
   vlan 1000
   authentication open
   authentication key-management wpa version 2
   mobility network-id 1000
   wpa-psk ascii
dot11 ssid LatitudeGuest
   vlan 1234
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   mobility network-id 1234
   wpa-psk ascii
   no ids mfp client
dot11 phone
username CISCO password
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
mbssid
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
peakdetect
no dfs band block
stbc
mbssid
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
duplex full
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 spanning-disabled
no bridge-group 254 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
mac-address 881d.fc46.c865
ip address 10.10. 255.255.254.0
ip default-gateway 10.10.
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
login local
transport input all
sntp server ntp2c.mcc.ac.uk
sntp broadcast client
end
LATHQWAP01#

SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN

Hi Everyone,
Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
I just got the new SG-300 28P switches. My Bios ordered for me. I did not know how it runs until now... not an IOS based. I really do not know how to configure it.
I have 2 VLAN are Data and Voice.
-          Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
-          Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
-          I created two vlans, in switch, Data and Voice.
-          On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
-          On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
-          On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
-          Port settings No.1
I set it up as Trunk with Data vlan 2 untagged, and 200 Tagged (voice vlan). I plugged in a phone with a pc attached. But the PC will get to the vlan 200 to get the DHCP address, but no from vlan 2. The Phone works with correct vlan ip.
-          Port settings No.2
Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
-          Port settings No.3
Access with 200U...of course the phone will work... and the PC could not get to its own vlan. Instead, the PC got an ip from the voice vlan. Not from VLAN 2.
I have Linksys phone I’m not sure if this help.
For more information I setup in switch,
            - enable voice vlan
- set the port on auto voice vlan
- enable LLDP-MED globally
- create a network policy to assign VLAN 200
- assign this network policy to the port the phone is connected to.
I hope this information help to help me to setup Data and Voice vlans, to plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).

I just got done setting up voice VLANs on an SF 300-24P and verified working. This was working with Cisco 7900 series phones connected to a Cisco UC setup.
Here's my sample config.
Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work. However, this should give you a clue. Also, don't take this as 100% accurate or correct. I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years. I'm a CCNP/CCDP.
VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
VLAN 149 is the data/computer VLAN here.
VLAN 111 is the voice/phone VLAN here.
VLAN 107 does nothing.
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control include-multicast
exit
interface ethernet e2
port storm-control include-multicast
exit
interface ethernet e3
port storm-control include-multicast
exit
interface ethernet e4
port storm-control include-multicast
exit
interface ethernet e5
port storm-control include-multicast
exit
interface ethernet e6
port storm-control include-multicast
exit
interface ethernet e7
port storm-control include-multicast
exit
interface ethernet e8
port storm-control include-multicast
exit
interface ethernet e9
port storm-control include-multicast
exit
interface ethernet e10
port storm-control include-multicast
exit
interface ethernet e11
port storm-control include-multicast
exit
interface ethernet e12
port storm-control include-multicast
exit
interface ethernet e13
port storm-control include-multicast
exit
interface ethernet e14
port storm-control include-multicast
exit
interface ethernet e15
port storm-control include-multicast
exit
interface ethernet e16
port storm-control include-multicast
exit
interface ethernet e17
port storm-control include-multicast
exit
interface ethernet e18
port storm-control include-multicast
exit
interface ethernet e19
port storm-control include-multicast
exit
interface ethernet e20
port storm-control include-multicast
exit
interface ethernet e21
port storm-control include-multicast
exit
interface ethernet e22
port storm-control include-multicast
exit
interface ethernet e23
port storm-control include-multicast
exit
interface ethernet e24
port storm-control include-multicast
exit
interface range ethernet g(1-4)
description "Uplink trunk"
exit
interface range ethernet g(1-4)
switchport default-vlan tagged
exit
interface range ethernet e(21-24)
switchport mode access
exit
vlan database
vlan 107,111,149,199
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 107
exit
interface range ethernet e(21-24)
switchport access vlan 111
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 111
exit
interface range ethernet e(1-20)
switchport trunk native vlan 149
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 149
exit
interface range ethernet g(1-4)
switchport trunk native vlan 199
exit
voice vlan aging-timeout 5
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
voice vlan oui-table add 108ccf MyCiscoIPPhones1
voice vlan oui-table add 40f4ec MyCiscoIPPhones2
voice vlan oui-table add 8cb64f MyCiscoIPPhones3
voice vlan id 111
voice vlan cos 6 remark
interface ethernet e1
voice vlan enable
exit
interface ethernet e1
voice vlan cos mode all
exit
interface ethernet e2
voice vlan enable
exit
interface ethernet e2
voice vlan cos mode all
exit
interface ethernet e3
voice vlan enable
exit
interface ethernet e3
voice vlan cos mode all
exit
interface ethernet e4
voice vlan enable
exit
interface ethernet e4
voice vlan cos mode all
exit
interface ethernet e5
voice vlan enable
exit
interface ethernet e5
voice vlan cos mode all
exit
interface ethernet e6
voice vlan enable
exit
interface ethernet e6
voice vlan cos mode all
exit
interface ethernet e7
voice vlan enable
exit
interface ethernet e7
voice vlan cos mode all
exit
interface ethernet e8
voice vlan enable
exit
interface ethernet e8
voice vlan cos mode all
exit
interface ethernet e9
voice vlan enable
exit
interface ethernet e9
voice vlan cos mode all
exit
interface ethernet e10
voice vlan enable
exit
interface ethernet e10
voice vlan cos mode all
exit
interface ethernet e11
voice vlan enable
exit
interface ethernet e11
voice vlan cos mode all
exit
interface ethernet e12
voice vlan enable
exit
interface ethernet e12
voice vlan cos mode all
exit
interface ethernet e13
voice vlan enable
exit
interface ethernet e13
voice vlan cos mode all
exit
interface ethernet e14
voice vlan enable
exit
interface ethernet e14
voice vlan cos mode all
exit
interface ethernet e15
voice vlan enable
exit
interface ethernet e15
voice vlan cos mode all
exit
interface ethernet e16
voice vlan enable
exit
interface ethernet e16
voice vlan cos mode all
exit
interface ethernet e17
voice vlan enable
exit
interface ethernet e17
voice vlan cos mode all
exit
interface ethernet e18
voice vlan enable
exit
interface ethernet e18
voice vlan cos mode all
exit
interface ethernet e19
voice vlan enable
exit
interface ethernet e19
voice vlan cos mode all
exit
interface ethernet e20
voice vlan enable
exit
interface ethernet e20
voice vlan cos mode all
exit
interface ethernet e1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e5
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e6
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e7
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e8
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e9
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e10
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e11
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e12
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e13
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e14
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e15
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e16
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e17
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e18
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e19
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e20
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e21
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e22
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e23
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e24
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e1
lldp med notifications topology-change enable
exit
interface ethernet e2
lldp med notifications topology-change enable
exit
interface ethernet e3
lldp med notifications topology-change enable
exit
interface ethernet e4
lldp med notifications topology-change enable
exit
interface ethernet e5
lldp med notifications topology-change enable
exit
interface ethernet e6
lldp med notifications topology-change enable
exit
interface ethernet e7
lldp med notifications topology-change enable
exit
interface ethernet e8
lldp med notifications topology-change enable
exit
interface ethernet e9
lldp med notifications topology-change enable
exit
interface ethernet e10
lldp med notifications topology-change enable
exit
interface ethernet e11
lldp med notifications topology-change enable
exit
interface ethernet e12
lldp med notifications topology-change enable
exit
interface ethernet e13
lldp med notifications topology-change enable
exit
interface ethernet e14
lldp med notifications topology-change enable
exit
interface ethernet e15
lldp med notifications topology-change enable
exit
interface ethernet e16
lldp med notifications topology-change enable
exit
interface ethernet e17
lldp med notifications topology-change enable
exit
interface ethernet e18
lldp med notifications topology-change enable
exit
interface ethernet e19
lldp med notifications topology-change enable
exit
interface ethernet e20
lldp med notifications topology-change enable
exit
interface ethernet e21
lldp med notifications topology-change enable
exit
interface ethernet e22
lldp med notifications topology-change enable
exit
interface ethernet e1
lldp med enable network-policy poe-pse
exit
interface ethernet e2
lldp med enable network-policy poe-pse
exit
interface ethernet e3
lldp med enable network-policy poe-pse
exit
interface ethernet e4
lldp med enable network-policy poe-pse
exit
interface ethernet e5
lldp med enable network-policy poe-pse
exit
interface ethernet e6
lldp med enable network-policy poe-pse
exit
interface ethernet e7
lldp med enable network-policy poe-pse
exit
interface ethernet e8
lldp med enable network-policy poe-pse
exit
interface ethernet e9
lldp med enable network-policy poe-pse
exit
interface ethernet e10
lldp med enable network-policy poe-pse
exit
interface ethernet e11
lldp med enable network-policy poe-pse
exit
interface ethernet e12
lldp med enable network-policy poe-pse
exit
interface ethernet e13
lldp med enable network-policy poe-pse
exit
interface ethernet e14
lldp med enable network-policy poe-pse
exit
interface ethernet e15
lldp med enable network-policy poe-pse
exit
interface ethernet e16
lldp med enable network-policy poe-pse
exit
interface ethernet e17
lldp med enable network-policy poe-pse
exit
interface ethernet e18
lldp med enable network-policy poe-pse
exit
interface ethernet e19
lldp med enable network-policy poe-pse
exit
interface ethernet e20
lldp med enable network-policy poe-pse
exit
interface ethernet e21
lldp med enable network-policy poe-pse
exit
interface ethernet e22
lldp med enable network-policy poe-pse
exit
lldp med network-policy 1 voice vlan 111 vlan-type tagged
interface range ethernet e(1-22)
lldp med network-policy add 1
exit
interface vlan 199
ip address 199.16.30.77 255.255.255.0
exit
ip default-gateway 199.16.30.3
interface vlan 1
no ip address dhcp
exit
no bonjour enable
bonjour service enable csco-sb
bonjour service enable http
bonjour service enable https
bonjour service enable ssh
bonjour service enable telnet
hostname psw1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
management access-list Management1
permit ip-source 10.22.5.5 mask 255.255.255.0
exit
logging 199.16.31.33 severity debugging description mysysloghost
aaa authentication enable Console local
aaa authentication enable SSH tacacs local
aaa authentication enable Telnet local
ip http authentication tacacs local
ip https authentication tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password admin
exit
line ssh
login authentication SSH
enable authentication SSH
password admin
exit
line console
login authentication Console
enable authentication Console
password admin
exit
username admin password admin level 15
power inline usage-threshold 90
power inline traps enable
ip ssh server
snmp-server location in-the-closet
snmp-server contact [email protected]
ip http exec-timeout 30
ip https server
ip https exec-timeout 30
tacacs-server host 1.2.3.4 key spaceballz timeout 3 priority 10
clock timezone -7
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 199.16.30.1
sntp server 199.16.30.2
ip domain-name mydomain.com
ip name-server 199.16.5.12 199.16.5.13
ip telnet server

Potential Security Hole with 802.1x and Voice VLANs?

I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
Andy

Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy

Wireless voice vlan

Can someone point me to a link for setting up voice vlan ? we're trying to use Cisco wireless phone 7920 and would like to know about setting up the voice vlan. Thank you very much.

http://www.cisco.com/en/US/products/hw/phones/ps379/products_implementation_design_guide_book09186a00802a029a.html

About SRW224G4P Voice vlan issue

Similar Messages

Maybe you are looking for