Cisco Layer 3, Voice, & VLAN
I have a vSphere 5.5 install and I'm in the process of a network upgrade in preparation for a VOIP implementation. The Switch hardware I'm using is a stack of Cisco 3850 Layer 3 switches and I've been going in circles on getting vlan traffic to work correctly. Hopefully someone can point me in the right direction.
I have one NIC connected to the switch (10GB fiber) that will handle all traffic for the esxi host (except for management). VLAN ID is set to None (0) and load balancing is set to Route based on originating virtual port.
I have 2 subnets, 10.1.0.0/16 (data & management, VLAN 1) and 10.10.1.0/24 (Voice, VLAN 10)
On the host I have a Win 2012 R2 server that will be a VOIP PBX host. It must be able to communicate with the IP phones (VLAN 10) and other servers (VLAN 1).
The switches will do the intervlan routing.
Finally my question - Can anyone give me some hints on how to set up the interface on the Cisco for the 10GB fiber connection from my host? Actual port settings would be extremely helpful. Anything I'm doing at the vmware end that I should be doing differently?
In case anyone comes across this in a search, here's what I ended up with, 1st the Cisco switch:
switchport trunk allowed vlan 1,10
switchport mode trunk
switchport nonegotiate
switchport voice vlan 10
macro description cisco-switch
spanning-tree portfast
spanning-tree link-type point-to-point
The virtual switch I set to all vlan IDs and Route based on originating virtual port.
Similar Messages
-
DHCP and voice vlan on Cisco 3560 switch
Greetings,
I'm setting up a Cisco 3560 switch for voice and data comms. I'm looking for documentation with best practice guidelines for the following requirements.
1. Using the Cisco 3560 as a DHCP server - Config examples. Do I need to use different subnets for the voice and data vlans?
2. Layer 2 CoS QoS - I'm connecting Aastra phones as well as notebooks - I've been told that Aastra also makes use of the voice vlan config through LLDP and that Aastra phones supports CDP.
Your assistance will be appreciated.Hi ,
Cisco recommends that you have a separate vlan for voice and data with different ip subnets for voice and data. You will need to configure the dhcp pool accordingly.
Here is the config guide for setting up IOS DHCP server:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html
Here is the LAN qos recommendations:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/netstruc.html#wp1044009 -
Cisco voice vlans w/ nortel VOIP system
Hello everyone,
I am going to segment a network with a Nortel VOIP system. Right now, the network is completely flat with PCs plugged into the back of the nortel phones. I would like to set up a voice vlan for the nortel phones but am not sure if voice vlans will work w/ non-cisco phones (cdp). Please provide me some insight if you can. Thanks!If your are Using Recent Cisco Switches it is quite easy.
Using 4006 SUP III core switches or 3560 PSE's should be okay.
If you have Nortel Phase II phones they can also be powered by the 802.3 cisco switches with no probs.
Anyway set the switchport mode to switchport voice vlan. Set spanning tree portfast and configure qos as you see fit on the port. Configure the voice vlan on the switch eg switchport voice vlan 111. You may need to configure the port to switchport mode dynamic desriable as well. Some older switches may have problems but you can enable trunking to cheat and then a default vlan for the pc on the switchport
As regards to the phones when the phone reboots and you enter the configuration mode via flipping the 4 soft keys. You should then see the vlan option and configure the same vlan number on the phone as the cisco switch eg 111.
The phone should then register again without any problems. All i2002/i2004 firmware for last 2 years has the vlan option. I looked after about 400 nortel phones all on cisco switches of various ages with only minor setting up issues.
Best of luck
Simon -
Passing Voice VLAN through a non-Cisco switch
Hi All,
Will a non-Cisco switch (no 802.1q support) that is putted beetween Cisco IP Telephone and Cisco Catalyst switch (which is configured with auxilary Voice Vlan) pass voice vlan frames and CDP?Any switch should pass on either ISL(which is cisco properitary and hence not supported on non-Cisco) or IEEE 802.1Q frames or else it cannot support voice vlan support . And non-Cisco switches do not support CDP as it is once again Cisco proprietary protocol.
-
Cisco sg200 voice vlan dhcp issue
i have cisco sg200 50p connected to cisco 3750 switch. i just wanted to separate voice (vlan2) and data (vlan1) VLANS. I created vlan 2 as my voice VLAN and separate dhcp server for vlan 2 to give ip addresses to phones. however the ip phone connected to my voice vlan (vlan 2) is not receiving ip address from my dhcp server in vlan 2.
the dhcp server is connected to 3750 switch with an access port (vlan2-voice)
two switches are connected via trunk ports and allowed vlan 1&2
ip phone is connected to sg200 via access port (vlan 2) -
note - there is no pc connected to ip phone
I really appreciate if anyone can help me with this issueHi Tom
Thank you for the support. The phone is now getting the IP from the DHCP on its own VLAN (vlan2 ) according to your configuration. However i need to configure the auto voice VLAN based on OUI feature which is in SG200 switch.
The problem is, the switch not allowed me to configure auto voice vlan feature when the port connected to IP phone is in ACCESS mode (it has to be a trunk). I know according to cisco catlyst guidelines this is totally incorrect bcz they say "Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed"
I think its not valid for Small business switches . Anyway, when i make the said port TRUNK it works (by assigning 1U & 2T- automatically).But the phone does not get an IP address from my DHCP server then.
Can you help me with this if I am missing some configuration. Thank you once again -
Video conferencing, voice, VLAN and Catalyst 2950, 3500 and 6500 switches
We have a Cat6500 with MSFC in the COre/Distribution, mix of 2950 and 3524XL in the closets in the HQ. Every closet will be on one VLAN. There are 5 remote sites on a Frame with 768 CIR. There will be one Polycom VC station in the HQ per closet, one Polycom per remote site. Additionally, every PC everywhere will be using desktop NetMeeting for VC. CallManager and IP Phones will be everywhere. My questions are:
1. should I put the Polycom on the same VLAN as the PC's with COS set to 4 at layer 2 and IP Precedence set to 4 at layer3? IP Phones are already on a seperate voice VLAN .
2. Should I put Polycom on it's own VLAN and seperate from the PC VLANs? If I do it this way should I set COS and IP precedence for the PC's with NetMeeting?
3. any sample config. for the Catalyst switches?
Thanks!
ChrisChris,
Check out this IP telephony design guide. Hope it is of some help to you:
http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/network/ -
Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper
Hope that somebody can help me with the setup in the screenshot.
Planning to use Auto-Voice VLAN and Smartports to configure VOIP
LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right?
Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
Normal data should pass the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
Still confused on how to set it up, hope that someone can point me in the right directionIf you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS. -
SRW224G4P : voice vlan problem
Hi guys ,
i've a problem with tagged vlan with my SRW224G4P.
I,ve got following scenario:
one cisco 2801-CCME/k9 router
one cisco small business SRW224G4P layer 2 managed switch
ten cisco IP phone 7940 and 7931
ten personal computer
I need to use the embedded switch on the phone to connect computer . I need to
have 2 separated vlan for data and voice traffic.
I configured srw224g4p first 12 ports as follows
interface ethernet 1/x
switchport allowed vlan add 199 untagged
switchport native vlan 199
switchport allowed vlan remove 1
switchport mode hybrid
switchport allowed vlan add 150 tagged
spanning-tree cost 100000
spanning-tree edge-port
where vlan 199 is for data and vlan 150 is for voice .
I set following dhcp pool on 2801
ip dhcp pool phones
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
domain-name cmedeis.local
option 150 ip 192.168.150.1
ip dhcp pool PC
network 192.168.199.0 255.255.255.0
default-router 1982.168.199.1
and configured router on a stick as follows
interface FastEthernet0/0.150
description CME interface
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
interface FastEthernet0/0.199
encapsulation dot1Q 199
ip address 192.168.199.1 255.255.255.0
My problem is that phones connected to the switch ports doesn't recognize tagged
traffic and doesn't take ip of the corrected dhcp pool of 150 vlan.
With a cisco 2960 poe switch i configured switchport voice vlan 150 and
switchport access vlan 199 and all is fine but this small business switch don't
handle switchport voice attribute and i can't separate voice and data vlan .
Someone have idea how to avoid this problem?
Need some help , please.
ByeGood posts as always Christopher!
As Christopher mentions you will need to hard code the voice vlan on all of the phones. The phones will send the voice traffic via this vlan, and the PCs will send untagged traffic.
I hope you do not mind a tangent and I hope this is not too great of a distraction, but the thought of QoS and security came to my mind as I read this post.
Besides the vlan problems, which I am sure we can get through, there is also a concern.
Any chance you would consider a 3560 for this deployment? You have quite a few Cisco phones, a Cisco router, and many PCs. The Cisco switch would give you CDP, which would be useful for the voice vlan and power settings, as well as the important automatic QoS and security settings.
On my 3560, I applied a smart port macro. A smart port macro is a series of best practices / command sets put into a simple to use command. The one I applied is called cisco-phone. Here is the output before and after:
c3560(config)#do sho run int f0/18
interface FastEthernet0/18
end
c3560(config)#int f0/18
c3560(config-if)#macr app cisco-phone
c3560(config-if)#sw voice vlan 5
c3560(config-if)#sw ac vl 1
c3560(config-if)#do sho run int f0/18
interface FastEthernet0/18
switchport mode access
switchport voice vlan 5
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
end
The switch automatically globally enabled mls qos and configured the many class-maps, policy-maps, and applied them all accordingly. As you know, it is important to establish the trust boundaries when doing voice and QoS. These switches also uses SRR which is a very good way of applying shaping.
Does this help? I hope so. Please fire back any thoughts or questions you may have.
Andrew Lee Lissitz -
SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN
Hi Everyone,
Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
I just got the new SG-300 28P switches. My Bios ordered for me. I did not know how it runs until now... not an IOS based. I really do not know how to configure it.
I have 2 VLAN are Data and Voice.
- Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
- Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
- I created two vlans, in switch, Data and Voice.
- On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
- On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
- On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
- Port settings No.1
I set it up as Trunk with Data vlan 2 untagged, and 200 Tagged (voice vlan). I plugged in a phone with a pc attached. But the PC will get to the vlan 200 to get the DHCP address, but no from vlan 2. The Phone works with correct vlan ip.
- Port settings No.2
Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
- Port settings No.3
Access with 200U...of course the phone will work... and the PC could not get to its own vlan. Instead, the PC got an ip from the voice vlan. Not from VLAN 2.
I have Linksys phone I’m not sure if this help.
For more information I setup in switch,
- enable voice vlan
- set the port on auto voice vlan
- enable LLDP-MED globally
- create a network policy to assign VLAN 200
- assign this network policy to the port the phone is connected to.
I hope this information help to help me to setup Data and Voice vlans, to plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).I just got done setting up voice VLANs on an SF 300-24P and verified working. This was working with Cisco 7900 series phones connected to a Cisco UC setup.
Here's my sample config.
Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work. However, this should give you a clue. Also, don't take this as 100% accurate or correct. I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years. I'm a CCNP/CCDP.
VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
VLAN 149 is the data/computer VLAN here.
VLAN 111 is the voice/phone VLAN here.
VLAN 107 does nothing.
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control include-multicast
exit
interface ethernet e2
port storm-control include-multicast
exit
interface ethernet e3
port storm-control include-multicast
exit
interface ethernet e4
port storm-control include-multicast
exit
interface ethernet e5
port storm-control include-multicast
exit
interface ethernet e6
port storm-control include-multicast
exit
interface ethernet e7
port storm-control include-multicast
exit
interface ethernet e8
port storm-control include-multicast
exit
interface ethernet e9
port storm-control include-multicast
exit
interface ethernet e10
port storm-control include-multicast
exit
interface ethernet e11
port storm-control include-multicast
exit
interface ethernet e12
port storm-control include-multicast
exit
interface ethernet e13
port storm-control include-multicast
exit
interface ethernet e14
port storm-control include-multicast
exit
interface ethernet e15
port storm-control include-multicast
exit
interface ethernet e16
port storm-control include-multicast
exit
interface ethernet e17
port storm-control include-multicast
exit
interface ethernet e18
port storm-control include-multicast
exit
interface ethernet e19
port storm-control include-multicast
exit
interface ethernet e20
port storm-control include-multicast
exit
interface ethernet e21
port storm-control include-multicast
exit
interface ethernet e22
port storm-control include-multicast
exit
interface ethernet e23
port storm-control include-multicast
exit
interface ethernet e24
port storm-control include-multicast
exit
interface range ethernet g(1-4)
description "Uplink trunk"
exit
interface range ethernet g(1-4)
switchport default-vlan tagged
exit
interface range ethernet e(21-24)
switchport mode access
exit
vlan database
vlan 107,111,149,199
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 107
exit
interface range ethernet e(21-24)
switchport access vlan 111
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 111
exit
interface range ethernet e(1-20)
switchport trunk native vlan 149
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 149
exit
interface range ethernet g(1-4)
switchport trunk native vlan 199
exit
voice vlan aging-timeout 5
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
voice vlan oui-table add 108ccf MyCiscoIPPhones1
voice vlan oui-table add 40f4ec MyCiscoIPPhones2
voice vlan oui-table add 8cb64f MyCiscoIPPhones3
voice vlan id 111
voice vlan cos 6 remark
interface ethernet e1
voice vlan enable
exit
interface ethernet e1
voice vlan cos mode all
exit
interface ethernet e2
voice vlan enable
exit
interface ethernet e2
voice vlan cos mode all
exit
interface ethernet e3
voice vlan enable
exit
interface ethernet e3
voice vlan cos mode all
exit
interface ethernet e4
voice vlan enable
exit
interface ethernet e4
voice vlan cos mode all
exit
interface ethernet e5
voice vlan enable
exit
interface ethernet e5
voice vlan cos mode all
exit
interface ethernet e6
voice vlan enable
exit
interface ethernet e6
voice vlan cos mode all
exit
interface ethernet e7
voice vlan enable
exit
interface ethernet e7
voice vlan cos mode all
exit
interface ethernet e8
voice vlan enable
exit
interface ethernet e8
voice vlan cos mode all
exit
interface ethernet e9
voice vlan enable
exit
interface ethernet e9
voice vlan cos mode all
exit
interface ethernet e10
voice vlan enable
exit
interface ethernet e10
voice vlan cos mode all
exit
interface ethernet e11
voice vlan enable
exit
interface ethernet e11
voice vlan cos mode all
exit
interface ethernet e12
voice vlan enable
exit
interface ethernet e12
voice vlan cos mode all
exit
interface ethernet e13
voice vlan enable
exit
interface ethernet e13
voice vlan cos mode all
exit
interface ethernet e14
voice vlan enable
exit
interface ethernet e14
voice vlan cos mode all
exit
interface ethernet e15
voice vlan enable
exit
interface ethernet e15
voice vlan cos mode all
exit
interface ethernet e16
voice vlan enable
exit
interface ethernet e16
voice vlan cos mode all
exit
interface ethernet e17
voice vlan enable
exit
interface ethernet e17
voice vlan cos mode all
exit
interface ethernet e18
voice vlan enable
exit
interface ethernet e18
voice vlan cos mode all
exit
interface ethernet e19
voice vlan enable
exit
interface ethernet e19
voice vlan cos mode all
exit
interface ethernet e20
voice vlan enable
exit
interface ethernet e20
voice vlan cos mode all
exit
interface ethernet e1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e5
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e6
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e7
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e8
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e9
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e10
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e11
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e12
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e13
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e14
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e15
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e16
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e17
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e18
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e19
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e20
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e21
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e22
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e23
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e24
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e1
lldp med notifications topology-change enable
exit
interface ethernet e2
lldp med notifications topology-change enable
exit
interface ethernet e3
lldp med notifications topology-change enable
exit
interface ethernet e4
lldp med notifications topology-change enable
exit
interface ethernet e5
lldp med notifications topology-change enable
exit
interface ethernet e6
lldp med notifications topology-change enable
exit
interface ethernet e7
lldp med notifications topology-change enable
exit
interface ethernet e8
lldp med notifications topology-change enable
exit
interface ethernet e9
lldp med notifications topology-change enable
exit
interface ethernet e10
lldp med notifications topology-change enable
exit
interface ethernet e11
lldp med notifications topology-change enable
exit
interface ethernet e12
lldp med notifications topology-change enable
exit
interface ethernet e13
lldp med notifications topology-change enable
exit
interface ethernet e14
lldp med notifications topology-change enable
exit
interface ethernet e15
lldp med notifications topology-change enable
exit
interface ethernet e16
lldp med notifications topology-change enable
exit
interface ethernet e17
lldp med notifications topology-change enable
exit
interface ethernet e18
lldp med notifications topology-change enable
exit
interface ethernet e19
lldp med notifications topology-change enable
exit
interface ethernet e20
lldp med notifications topology-change enable
exit
interface ethernet e21
lldp med notifications topology-change enable
exit
interface ethernet e22
lldp med notifications topology-change enable
exit
interface ethernet e1
lldp med enable network-policy poe-pse
exit
interface ethernet e2
lldp med enable network-policy poe-pse
exit
interface ethernet e3
lldp med enable network-policy poe-pse
exit
interface ethernet e4
lldp med enable network-policy poe-pse
exit
interface ethernet e5
lldp med enable network-policy poe-pse
exit
interface ethernet e6
lldp med enable network-policy poe-pse
exit
interface ethernet e7
lldp med enable network-policy poe-pse
exit
interface ethernet e8
lldp med enable network-policy poe-pse
exit
interface ethernet e9
lldp med enable network-policy poe-pse
exit
interface ethernet e10
lldp med enable network-policy poe-pse
exit
interface ethernet e11
lldp med enable network-policy poe-pse
exit
interface ethernet e12
lldp med enable network-policy poe-pse
exit
interface ethernet e13
lldp med enable network-policy poe-pse
exit
interface ethernet e14
lldp med enable network-policy poe-pse
exit
interface ethernet e15
lldp med enable network-policy poe-pse
exit
interface ethernet e16
lldp med enable network-policy poe-pse
exit
interface ethernet e17
lldp med enable network-policy poe-pse
exit
interface ethernet e18
lldp med enable network-policy poe-pse
exit
interface ethernet e19
lldp med enable network-policy poe-pse
exit
interface ethernet e20
lldp med enable network-policy poe-pse
exit
interface ethernet e21
lldp med enable network-policy poe-pse
exit
interface ethernet e22
lldp med enable network-policy poe-pse
exit
lldp med network-policy 1 voice vlan 111 vlan-type tagged
interface range ethernet e(1-22)
lldp med network-policy add 1
exit
interface vlan 199
ip address 199.16.30.77 255.255.255.0
exit
ip default-gateway 199.16.30.3
interface vlan 1
no ip address dhcp
exit
no bonjour enable
bonjour service enable csco-sb
bonjour service enable http
bonjour service enable https
bonjour service enable ssh
bonjour service enable telnet
hostname psw1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
management access-list Management1
permit ip-source 10.22.5.5 mask 255.255.255.0
exit
logging 199.16.31.33 severity debugging description mysysloghost
aaa authentication enable Console local
aaa authentication enable SSH tacacs local
aaa authentication enable Telnet local
ip http authentication tacacs local
ip https authentication tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password admin
exit
line ssh
login authentication SSH
enable authentication SSH
password admin
exit
line console
login authentication Console
enable authentication Console
password admin
exit
username admin password admin level 15
power inline usage-threshold 90
power inline traps enable
ip ssh server
snmp-server location in-the-closet
snmp-server contact [email protected]
ip http exec-timeout 30
ip https server
ip https exec-timeout 30
tacacs-server host 1.2.3.4 key spaceballz timeout 3 priority 10
clock timezone -7
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 199.16.30.1
sntp server 199.16.30.2
ip domain-name mydomain.com
ip name-server 199.16.5.12 199.16.5.13
ip telnet server -
802.1x, voice vlan and IP phone
Hi, I reviewed many posts here, and I still need the clarification how 802.1x on the switch works with non-Cisco IP phone (not supporting CDP) and PC connected to the PC port. If I configure 802.1x on a switch port, along with access and voice vlan, next I configure the static voice vlan on the non-Cisco phone, will it be possible to authenticate the user on the PC and bypass authentication for IP phone? Is CDP required in such scenario - (non-Cisco IP phone doesn't support it)?
Regards,
KrzysztofYou need CDP for touchless interop. CDP can of course be spoofed though, so proceed with caustion anyway.
You need multi-domain authentication to appropriately deal with non-Cisco phones and port-based access-control. See here to get started:
<http://www.cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a008077a284.html#wp1231964>
Hope this helps, -
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
interface GigabitEthernet9/48
description temporary port
switchport
switchport access vlan 12
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
CIG01-ENT-SW1(config-if)#switchport voice vlan 14
Command rejected: Gi9/48 is Dot1x enabled port.Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
no ip address
dot1x port-control auto
spanning-tree portfast
end
Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
under the interface configure "dot1x host-mode multi-host"
Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform. -
Setting up a Test Voice VLAN for Lync 2013
I want to set up a second voice vlan to be a test vlan.
In the current situation the customer has voice and data running on vlan1. The customer insist on taking incremental steps to improve QoS. I have advocated separated vlans for voice and data. They just want to move everything (phase 1) to a different
vlan. They want to see how getting all traffic of vlan 1 will improve there performance. Again, I recommended the best practice, they want to try this approach first.
I am conducting a pilot test with just one cx600 IP phone. and a single switchport. I created a new vlan99 using VTP. I configured the switchports on the Cisco 2960-x switch as follows.
#switchport mode access
#switchport access vlan 99
The phone gets its correct vlan id, and pulls its IP from the correct dhcp scope. However the phone displays "connecting with the lync server" for a long time, then "connecting to download its certificates". This takes a long time then fails.
If I change the switchport back to vlan1 it works fine. What can be the problem? Does the vlan99 need to be defined on the lync server? How many vlans can be supported by Lync 2013?
Thank you,
gigiuDid you set the VLAN Configuration for Lync Phone Edition?
You can check the following links:
http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
make sure that you completely understand the risk before retrieving any suggestions from the above link.
Lisa Zheng
TechNet Community Support -
Hey guys,
I am pretty sure, my subject is kinda confusing. Sorry about that. Here is what happened.
1. 4510r with Supervisor V 1000BaseX, switched over to standby Sup, then reseated Active SUP, once reseat complete, switched again to get the reseated SUP up and running as Active SUP.
2. a simple maintenance which was supposed to cause no outage and it did not cause any outage as well.
3. however, what i did not notice was, even though the voice vlan was configured to access 2353, they were accessing vlan 453.
4. the change was made 2 weeks prior to this maintenance where voice vlans were previously accessing 453 and they were all changed to access 2353. configs were saved.
5. however, after the maintenance, the running config showed that they were acessing 2353 but when checking the mac address on the interface, it was seen accessing 453.
6. the fix was to remove the config and re add it , that fixed it.
Has anyone else experienced the issue ? What really happened there ?
software version: Version 15.0(2)SG5
#sh module
Chassis Type : WS-C4510R
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model
---+-----+--------------------------------------+------------------+-----------
1 2 Supervisor V 1000BaseX (GBIC) WS-X4516
2 2 Supervisor V 1000BaseX (GBIC) WS-X4516
3 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
5 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
6 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
7 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
8 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V
9 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45Vconfigs were saved many times prior to the maintenance. i did a " write mem ".
-
Help w/Voice VLAN on SMB 300-10p
We have purchased serveral new SMB 300 switches to support our VoIP rollout and save cost. I'm use to using the CLI on cisco devices, but now i'm stuck figuring out the GUI that comes with these switches.
I have setup the Voice VLAN to be 100, i have setup the port type as general, and i have added the port to VLAN 4 (data vlan). when i plug the NEC phone into the switchport and the computer into the phone, the computer gets an IP in VLAN 4 but the phone gets an IP from VLAN 1 not VLAN 100.
Like i said i set the Voice VLAN to 100, but when i look at the Macro for the smartport it is saying the voice vlan is 1. Do i have to manually change the macro somehow? can i change the macro somehow?
Sorry i don't have a lot of info in this post. If you need to know how anything else is configured just ask i'll post it up.
Thanks
KarlHi Karl,
You can use the serial db9 console cable that came with it for a hardwired connection (I use putty):
Also you can enable telnet and/or ssh: Status and Statistics -> System Summary, look for TCP/UDP services status and then hit Edit, enable what you want, hit apply, and remember to save the config. Also, you can go right to Security -> TCP/UDP services to enable:
Best,
David
Please remember to rate helpful posts and identify correct answers.
Maybe you are looking for
-
CRM 2007 - WEB UI "E-Mail Inbox"
Hi Gurus I am struggling to understand the functionality behind "Transfer to CRM" from Agent Inbox I have configured as per: http://help.sap.com/saphelp_crm70/helpdata/EN/e1/8bbeffb1b940bb894aa7b7a4c51342/frameset.htm I have loaded required CDO, etc
-
I click on the icon and it flashes as if opening.... no browser window appears.... I check the task manager to see if it is open but not displayed... nothing in the task manager.. So I uninstalled it leaving my preferences, and reinstalled it but it
-
Problem getting output in Excel
Hi! I'm having problems with getting output in excel. I generated report that gives me xml and it was ok. Then I started concurrent to merge template and this xml and chosed Excel as output. When I try to open it in IE all I'm getting is End tag 'p'
-
Discontinue of mac pro and mac book pro hopefully not
From recent discussions, I have been informed that mac pro towers will be discontinued as well as mac book pro for the consumer and this will unfortunately create problems with the existing equiptment I have. Will there still be support for my existi
-
Status of WBS element triggering confirmation of network activity ?
Hello, Can you please let me know if the following requirement could be solved using workflow in PS module : Setting of 'Fully invoiced' status (FNBL) on WBS element in CN02 transaction should trigger the confirmation of network activity (transaction