PVLANS used with Voice VLAN's
Hi,
I am working on a LAN Design that incorporates both Voice and Data and wondered if it is possible to have a switchport configured to be private VLAN and have a Voice VLAN configured as well
Thanks
No, according to the configuration guide on Private vlans:
Do not configure private VLAN ports on interfaces configured for these other features:
?Port Aggregation Protocol (PAgP)
?Link Aggregation Control Protocol (LACP)
?Voice VLAN
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
Please rate all posts.
Similar Messages
-
Cat 3750 with Voice VLAN and Dynamic VLANs
Morning,
Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
Is a RADIUS server able to provide values to change the native vlan?
Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
Thanks,Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
switchport voice vlan 100
This is effectively the same as:
interface FastEthernet0/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,100
The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
QoS is not detailed anywhere here and that obviously plays an important role with voice.
In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
HTH
Andy -
Silent Monitor and Call record with voice vlan
We are pretty new to CCX, and want to get silent monitor and call recording working. I've read a bunch of troubleshooting docs, and a bunch of the discussions here, but I am still unable to get it to work the way that I want.
Heres the setup. The phones are all set to the recommended settings, and the agent pc is plugged into the phone. The data vlan is 111 and the voice vlan is 222. When I run the nicq prog on the agent pc, it can not find the phone, but I can enter the ip in , and it sees the phone. The supervisor laptop can not monitor or record.
If I change the voice vlan to 111, nicq still can not find the phone, but the supervisor can record and monitor with no problem. Is is an issue with 802.1q and perhaps my nics do not support it?
CCX Ver:
8.5.1.11004-25Hi
It could be, but it's pretty rare.
Have you enabled 'PC Port Voice VLAN Access' and 'SPAN to PC Port' on the phone?
Have you tried alternate PCs/laptops on the back of that phone?
Aaron -
Hi guys,
recently i have configured the dot1x security feature on the cisco c3650x switches with IOS 15.2(1)E. But when I added voice vlan to the port, the ip phone can't register.
My switch port configuration as below:
interface GigabitEthernet0/47
switchport mode access
switchport voice vlan 60
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security mac-address sticky
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action authorize vlan 203
authentication event no-response action authorize vlan 203
authentication host-mode multi-host
authentication port-control auto
mls qos trust device cisco-phone
mls qos trust cos
macro description USER
dot1x pae authenticator
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Guys, please advice is there any other feature shuld be activated on swith to resolve this issue? i done all configuration on guidance of cisco documents.
BR
Rashadduplicate post: https://supportforums.cisco.com/thread/2248853?tstart=0
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
interface GigabitEthernet9/48
description temporary port
switchport
switchport access vlan 12
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
CIG01-ENT-SW1(config-if)#switchport voice vlan 14
Command rejected: Gi9/48 is Dot1x enabled port.Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
no ip address
dot1x port-control auto
spanning-tree portfast
end
Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
under the interface configure "dot1x host-mode multi-host"
Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform. -
Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper
Hope that somebody can help me with the setup in the screenshot.
Planning to use Auto-Voice VLAN and Smartports to configure VOIP
LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right?
Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
Normal data should pass the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
Still confused on how to set it up, hope that someone can point me in the right directionIf you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS. -
Applying command switchport voice vlan
Hi everyone,
At customer setup they have implemented VOIP and as they have to meet the deadlines for this project and they are in rush they want all the switch ports where users are connected should be configured for voice vlan.
As we have server,printers and other devices also connected to these switches.
if i configure int range fa0/1 - 48 with voice vlan command will it cause any issue to devices connected to the switch other than user PC?
Regards
MAheshDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Any issues to ports w/o a VoIP phone but configured with a voice VLAN? Well, broadcast traffic on the VoIP VLAN will go to each port configured with a voice VLAN, but on a VoIP VLAN I wouldn't expect there to be too much of this traffic. So it shouldn't be significant. -
Does the Sennheiser MM50 work with Voice Control?
I'm not double posting -- over at "using 3Gs" I asked if anyone had any idea what other earphones I could use with voice control, but after researching these Sennheiser MM50 iP phones look like just the ticket... except I'm not sure they work with the voice control itself.
They have a mic and a pause/answer button -- has anyone tried theirs to see if it will do the same job on voice control as the Apple earbuds do? (Which, IMHO, is superb). I do hate to give up volume control, but I can live without it for better overall sound (too bad the VC doesn't allow you to just say "louder" or "softer" <g>.Mike Kelley wrote:
I'm not double posting -- over at "using 3Gs" I asked if anyone had any idea what other earphones I could use with voice control, but after researching these Sennheiser MM50 iP phones look like just the ticket... except I'm not sure they work with the voice control itself.
They have a mic and a pause/answer button -- has anyone tried theirs to see if it will do the same job on voice control as the Apple earbuds do? (Which, IMHO, is superb). I do hate to give up volume control, but I can live without it for better overall sound (too bad the VC doesn't allow you to just say "louder" or "softer" <g>.
I would assume all earphones work that have a mic. No reason why they shouldn't -
Voice VLAN config with multiple IP Phone systems
We currently have a legacy TDM ACD system used by the Call Centre running alongside CUCM 8.5 which is used by back office and admin staff.
When we implemented the Call Manager we configured all our access ports with the Voice VLAN to make any office moves and changes straight forward, regardless of whether or not the position would have a Cisco phone i.e. a cisco phone could be plugged into any floor port throughout the building and it would register.
Currently I am in the planning stages of replacing the legacy ACD system with Avaya Aura which will be running side by side with CUCM. My concern is that every time there are office moves, the access ports are going to have to be reconfigured to the Voice VLAN of the relevant system depending on which type of phone is at that desk.
Has anyone had similar experiences and found a solution?
Not ideal I presume, but was wondering if we could use the same Voice VLAN for both systems?It's just a VLAN. Don't sweat it, stick them all in the same one. Nothing will explode.
Each phone system will have it's own way of locating the call processor.
CUCM = DHCP Option 150
Mitel = Some other DHCP option (128-130, and some others)
Avaya = DHCP option 176
etc...
So you can set all these on your scope, and each phone type will find it's server...
Aaron -
Voice VLANs with Multiple IP Phone Systems
We currently have a legacy TDM ACD system used by the Call Centre running alongside CUCM 8.5 which is used by back office and admin staff.
When we implemented the Call Manager we configured all our access ports with the Voice VLAN to make any office moves and changes straight forward, regardless of whether or not the position would have a Cisco phone i.e. a cisco phone could be plugged into any floor port throughout the building and it would register.
Currently I am in the planning stages of replacing the legacy ACD system with Avaya Aura which will be running side by side with CUCM. My concern is that every time there are office moves, the access ports are going to have to be reconfigured to the Voice VLAN of the relevant system depending on which type of phone is at that desk.
Has anyone had similar experiences and found a solution?
Not ideal I presume, but was wondering if we could use the same Voice VLAN for both systems?It's just a VLAN. Don't sweat it, stick them all in the same one. Nothing will explode.
Each phone system will have it's own way of locating the call processor.
CUCM = DHCP Option 150
Mitel = Some other DHCP option (128-130, and some others)
Avaya = DHCP option 176
etc...
So you can set all these on your scope, and each phone type will find it's server...
Aaron -
Hi all,
I have been trying to config a voice vlan into this switchs for the last 3 hours and for me this is impossible... I know how to do in a IOS switch but with this switchs is a nightmare...
I have this topology,
PC ---- IP phone ----- SW1 SRW224G4P -------- SWCORE SRW2024 --------- Router 2921 CME
I have this config in my router,
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description LAN
encapsulation dot1Q 1 native
ip address 192.168.5.95 255.255.255.0
ip virtual-reassembly in
interface GigabitEthernet0/0.100
description Voice VLAN
encapsulation dot1Q 100
ip address 192.168.251.1 255.255.255.0
ip virtual-reassembly in
SW1 has created the VLAN 100 and enabled as VOICE VLAN
The first 3 octes of the mac of my phone is inserted into Telephony OUI Table
The Auto Voice VLAN Membership is enabled in the port where phone is attached.
The port that is conected to SWCORE has the vlan 100 configured as tagged.
SWCORE has created the VLAN 100 and enabled as VOICE VLAN
The port that is conected to SW1 has the vlan 100 configured as tagged.
The port that is conected to router CME has the vlan 100 configured as tagged.
If I config other port into SWCORE with VLAN 100 tagged I can ping from CME to that host.
Could be the problem a vlan propagation error?
Somebody could help me? I am desperate...
Thank you in advance.Hi David,
Thank you for the purchase of the switch.
.Like anything, even riding a bike, the switch is actually very easy to configure, if you have a little bit of practice on it..
You mentioned you are using the " Telephony OUI Table" i guess you have a SF300-24P or ordering p/n SRW224G4P-K9-NA. Please be specific with the switch models you are using.
Are you using the older SRW series or the refreshed SRWxxx-K9 (300 series) switch in the core?
Firstly, make sure you are using version 1.1.0.73 of the switch firmware. Do that change now or verify that 1.1.0.73 is the active image on the switch.
The switch has two areas for storing firmware images. It stores the new firmware in the unused image area. Check the administration guide for how to upgrade firmware and select new firmware for the next reboot.
CDP is enabled on the switch when you use the new software, it was not there with older firmware, hence my insistance at upgrading firmware.
( Personally i would prefer you to have a catalyst switch for your ISRG2 CME application, for tech support purposes. But this is the land of the free..)
I found the following when I added my SG300-28P to a VLAN aware UC500.
The UC500 was advertising vlan100 as a voice vlan, configured that by Cisco Configuration Assistant, you might try CCP on your ISR.
I had a IP phone plugged into switch port G7 and a uplink to my UC500 via port Gig27.
The following in blue is a screen copy from my 300 series switch CLI interface.
You will note the switch automatically populated both VLAN and port information, the only command I added was "no passwords complexity enable," and some usernames, which removed from the screen capture below.
the switch basically configured itself.
------------------ show system ------------------
System Description: 28-port Gigabit PoE Managed Switch
System Up Time (days,hour:min:sec): 00,00:12:04
System Contact:
System Name: switch4cf17c
System Location:
System MAC Address: d0:d0:fd:4c:f1:7c
System Object ID: 1.3.6.1.4.1.9.6.1.83.28.2
Fans Status: OK
------------------ show version ------------------
SW version 1.1.0.73 ( date 19-Jun-2011 time 18:10:49 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version V01
Gateway IP Address Activity status Type
192.168.10.1 Active dhcp
IP Address I/F Type Status
192.168.10.17/24 vlan 1 DHCP Valid
------------------ show ipv6 interface ------------------
IPv6 is disabled on all interfaces
------------------ show running-config ------------------
interface gigabitethernet7
storm-control broadcast level 10
exit
interface gigabitethernet7
storm-control include-multicast
exit
interface gi27
spanning-tree link-type point-to-point
exit
vlan database
vlan 100
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switch4cf17c
no passwords complexity enable
no snmp-server server
interface gigabitethernet7
macro description ip_phone_desktop
exit
interface gigabitethernet27
macro description "switch | no_switch | switch"
exit
interface gigabitethernet7
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
switchport trunk allowed vlan add 100
exit
interface gigabitethernet27
!next command is internal.
macro auto smartport dynamic_type switch
switchport trunk allowed vlan add 100
exit
switch4cf17c#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone
M - Remotely-Managed Device, C - CAST Phone Port,
W - Two-Port MAC Relay
Device ID Local Adv Time To Capability Platform Port ID
Interface Ver. Live
SEP503De50F133A gi7 2 158 H P CISCO IP eth0
Phone
SPA525G2
68bdab0fdcfd gi27 2 169 S I Cisco SG gi9
300-10P
(PID:SRW2008P-K9)-VSD
switch4cf17c#sh vlan
Vlan Name Ports Type Authorization
1 1 gi1-28,Po1-8 Default Required
100 100 gi7,gi27 permanent Required
Switch automatically figures which ports should be tagged into VLAN 100.
I did not tell the switch it was connected to VLAN100. I did not add vlan100 to the VLAN database.
So get the ISR router to advertise VLAN100 as a voice vlan.
regards Dave -
I am using 3750 stacks in the access closet with the floor VLANs routed through a 4500. I am trying to determine the best way to get the Nortel IP phone to attach to the voice VLAN and have the internal port default to whatever the floor VLAN is. I am using Microsoft DHCP and I will not initialy trust the port but use a policy to set the trusts. Does anyone use Nortel and what do you believe is the best way to set this? Are there any documents anyone may be aware of to lead me in the right direction?
ThanksTake a look at the following post.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddbd67a
Hope this helps. If so, please rate the post.
Brandon -
51 APs on voice vlan with 110 802.11 Handsets and 300 VoIP handsets?
There are 51 APs with 110 Symbol 802.11 voip handsets, along with 400+ Mitel VoIP Handsets on one vlan..using mask 255.255.240.0 should I be asking if this is excessive multicast traffic ?
Anyone used the IAPP with Aeronet? Any drawbacks, feedback? Should the APs/802.11 VoIP Phones be on their own vlan rather than the voice vlan?Jason,
Let me answer your question with another question - RTP streams from your phones would be unicast, unless you were using applications like multicast paging or multicast MOH. Are there any of these applications present?
For seamless roaming, you will want the APs to be located on the same VLAN and use the same SSIDs and addressing scheme across your wireless infrastructure. You could separate it from your voice VLAN for segmentation purposes, so long as DHCP services and QoS is present on your APs and distribution switches on the wireless VLAN.
A quick estimation of the traffic involved is 7.04Mb/s if every phone was being used simultaneously with a G.711 codec. Bandwidth would generally not be an issue, but latency and jitter are your priorities. Depending on how your wireless network is laid out, you shouldn't have more then 8-12 phones associated to a single AP or jitter, latency and retransmissions will become an issue.
Hope this helps.
Pat -
I tried using the Voice Memos iPhone app and ended up with a red banner on top of the screen that flashes "recording 00.00" but I can't locate what I thought I was recording. can you help me?
jacknilI found an answer to this on another page (I was having the same problem) This worked for me:
Double-click the Home button.
Swipe left or right until you have located the app you wish to close.
Swipe the app up to close it.
more here: https://discussions.apple.com/thread/5596831
Maybe you are looking for
-
I am trying to update my time machine backup on time capsule, but time machine keeps trying to create an entirely new backup (evidenced by the 200GB backup size). How can I get time machine to modify my old backup rather than create a new one?
-
HSB/HSL Filter not available in CC 2014
Hi, I have CC 2014..2.2 (20141204.r.310 x32) installed on a Windows 7 (32bit) machine. Wanting to use the HSB/HSL filter, under Filters > Other but it is greyed out. Have tried installing it from Downloadable content (plug-ins) After downloading the
-
What's the best quality export for a 720 X 480 size, 24fps mp4 file?
Whats the best quality export for a 720 X 480 size, 24fps mp4 file? This movie trailer will be sent to a distributer overseas. The export I been resorting to lately is MPEG 2 DV High Quality as oppose to anything HDTV because it just shrinks the pict
-
HD icon moving to the very right top corner of the screen after startup...
Hi everybody, this is apparently an old problem in Mac OSX (I have found only very old posts) that should have been resolved already. It happened to me sometimes that, after startup, the HDD icon, which is normally on my right top corner, moves by it
-
How to return in pl/sql the tuples of an sql query comming several tables
I have a select query whose result comes from several tables. The question is how to return the tuples of the select query using a pl/sql function. In othe words, is it possible to define a construct structure to store the values of sql query and ret