Voice VLAN with SRW224G4P
Hi all,
I have been trying to config a voice vlan into this switchs for the last 3 hours and for me this is impossible... I know how to do in a IOS switch but with this switchs is a nightmare...
I have this topology,
PC ---- IP phone ----- SW1 SRW224G4P -------- SWCORE SRW2024 --------- Router 2921 CME
I have this config in my router,
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description LAN
encapsulation dot1Q 1 native
ip address 192.168.5.95 255.255.255.0
ip virtual-reassembly in
interface GigabitEthernet0/0.100
description Voice VLAN
encapsulation dot1Q 100
ip address 192.168.251.1 255.255.255.0
ip virtual-reassembly in
SW1 has created the VLAN 100 and enabled as VOICE VLAN
The first 3 octes of the mac of my phone is inserted into Telephony OUI Table
The Auto Voice VLAN Membership is enabled in the port where phone is attached.
The port that is conected to SWCORE has the vlan 100 configured as tagged.
SWCORE has created the VLAN 100 and enabled as VOICE VLAN
The port that is conected to SW1 has the vlan 100 configured as tagged.
The port that is conected to router CME has the vlan 100 configured as tagged.
If I config other port into SWCORE with VLAN 100 tagged I can ping from CME to that host.
Could be the problem a vlan propagation error?
Somebody could help me? I am desperate...
Thank you in advance.
Hi David,
Thank you for the purchase of the switch.
.Like anything, even riding a bike, the switch is actually very easy to configure, if you have a little bit of practice on it..
You mentioned you are using the " Telephony OUI Table" i guess you have a SF300-24P or ordering p/n SRW224G4P-K9-NA. Please be specific with the switch models you are using.
Are you using the older SRW series or the refreshed SRWxxx-K9 (300 series) switch in the core?
Firstly, make sure you are using version 1.1.0.73 of the switch firmware. Do that change now or verify that 1.1.0.73 is the active image on the switch.
The switch has two areas for storing firmware images. It stores the new firmware in the unused image area. Check the administration guide for how to upgrade firmware and select new firmware for the next reboot.
CDP is enabled on the switch when you use the new software, it was not there with older firmware, hence my insistance at upgrading firmware.
( Personally i would prefer you to have a catalyst switch for your ISRG2 CME application, for tech support purposes. But this is the land of the free..)
I found the following when I added my SG300-28P to a VLAN aware UC500.
The UC500 was advertising vlan100 as a voice vlan, configured that by Cisco Configuration Assistant, you might try CCP on your ISR.
I had a IP phone plugged into switch port G7 and a uplink to my UC500 via port Gig27.
The following in blue is a screen copy from my 300 series switch CLI interface.
You will note the switch automatically populated both VLAN and port information, the only command I added was "no passwords complexity enable," and some usernames, which removed from the screen capture below.
the switch basically configured itself.
------------------ show system ------------------
System Description: 28-port Gigabit PoE Managed Switch
System Up Time (days,hour:min:sec): 00,00:12:04
System Contact:
System Name: switch4cf17c
System Location:
System MAC Address: d0:d0:fd:4c:f1:7c
System Object ID: 1.3.6.1.4.1.9.6.1.83.28.2
Fans Status: OK
------------------ show version ------------------
SW version 1.1.0.73 ( date 19-Jun-2011 time 18:10:49 )
Boot version 1.0.0.4 ( date 08-Apr-2010 time 16:37:57 )
HW version V01
Gateway IP Address Activity status Type
192.168.10.1 Active dhcp
IP Address I/F Type Status
192.168.10.17/24 vlan 1 DHCP Valid
------------------ show ipv6 interface ------------------
IPv6 is disabled on all interfaces
------------------ show running-config ------------------
interface gigabitethernet7
storm-control broadcast level 10
exit
interface gigabitethernet7
storm-control include-multicast
exit
interface gi27
spanning-tree link-type point-to-point
exit
vlan database
vlan 100
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname switch4cf17c
no passwords complexity enable
no snmp-server server
interface gigabitethernet7
macro description ip_phone_desktop
exit
interface gigabitethernet27
macro description "switch | no_switch | switch"
exit
interface gigabitethernet7
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
switchport trunk allowed vlan add 100
exit
interface gigabitethernet27
!next command is internal.
macro auto smartport dynamic_type switch
switchport trunk allowed vlan add 100
exit
switch4cf17c#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone
M - Remotely-Managed Device, C - CAST Phone Port,
W - Two-Port MAC Relay
Device ID Local Adv Time To Capability Platform Port ID
Interface Ver. Live
SEP503De50F133A gi7 2 158 H P CISCO IP eth0
Phone
SPA525G2
68bdab0fdcfd gi27 2 169 S I Cisco SG gi9
300-10P
(PID:SRW2008P-K9)-VSD
switch4cf17c#sh vlan
Vlan Name Ports Type Authorization
1 1 gi1-28,Po1-8 Default Required
100 100 gi7,gi27 permanent Required
Switch automatically figures which ports should be tagged into VLAN 100.
I did not tell the switch it was connected to VLAN100. I did not add vlan100 to the VLAN database.
So get the ISR router to advertise VLAN100 as a voice vlan.
regards Dave
Similar Messages
-
Voice VLANs with Multiple IP Phone Systems
We currently have a legacy TDM ACD system used by the Call Centre running alongside CUCM 8.5 which is used by back office and admin staff.
When we implemented the Call Manager we configured all our access ports with the Voice VLAN to make any office moves and changes straight forward, regardless of whether or not the position would have a Cisco phone i.e. a cisco phone could be plugged into any floor port throughout the building and it would register.
Currently I am in the planning stages of replacing the legacy ACD system with Avaya Aura which will be running side by side with CUCM. My concern is that every time there are office moves, the access ports are going to have to be reconfigured to the Voice VLAN of the relevant system depending on which type of phone is at that desk.
Has anyone had similar experiences and found a solution?
Not ideal I presume, but was wondering if we could use the same Voice VLAN for both systems?It's just a VLAN. Don't sweat it, stick them all in the same one. Nothing will explode.
Each phone system will have it's own way of locating the call processor.
CUCM = DHCP Option 150
Mitel = Some other DHCP option (128-130, and some others)
Avaya = DHCP option 176
etc...
So you can set all these on your scope, and each phone type will find it's server...
Aaron -
I am using 3750 stacks in the access closet with the floor VLANs routed through a 4500. I am trying to determine the best way to get the Nortel IP phone to attach to the voice VLAN and have the internal port default to whatever the floor VLAN is. I am using Microsoft DHCP and I will not initialy trust the port but use a policy to set the trusts. Does anyone use Nortel and what do you believe is the best way to set this? Are there any documents anyone may be aware of to lead me in the right direction?
ThanksTake a look at the following post.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddbd67a
Hope this helps. If so, please rate the post.
Brandon -
51 APs on voice vlan with 110 802.11 Handsets and 300 VoIP handsets?
There are 51 APs with 110 Symbol 802.11 voip handsets, along with 400+ Mitel VoIP Handsets on one vlan..using mask 255.255.240.0 should I be asking if this is excessive multicast traffic ?
Anyone used the IAPP with Aeronet? Any drawbacks, feedback? Should the APs/802.11 VoIP Phones be on their own vlan rather than the voice vlan?Jason,
Let me answer your question with another question - RTP streams from your phones would be unicast, unless you were using applications like multicast paging or multicast MOH. Are there any of these applications present?
For seamless roaming, you will want the APs to be located on the same VLAN and use the same SSIDs and addressing scheme across your wireless infrastructure. You could separate it from your voice VLAN for segmentation purposes, so long as DHCP services and QoS is present on your APs and distribution switches on the wireless VLAN.
A quick estimation of the traffic involved is 7.04Mb/s if every phone was being used simultaneously with a G.711 codec. Bandwidth would generally not be an issue, but latency and jitter are your priorities. Depending on how your wireless network is laid out, you shouldn't have more then 8-12 phones associated to a single AP or jitter, latency and retransmissions will become an issue.
Hope this helps.
Pat -
SRW224G4P : voice vlan problem
Hi guys ,
i've a problem with tagged vlan with my SRW224G4P.
I,ve got following scenario:
one cisco 2801-CCME/k9 router
one cisco small business SRW224G4P layer 2 managed switch
ten cisco IP phone 7940 and 7931
ten personal computer
I need to use the embedded switch on the phone to connect computer . I need to
have 2 separated vlan for data and voice traffic.
I configured srw224g4p first 12 ports as follows
interface ethernet 1/x
switchport allowed vlan add 199 untagged
switchport native vlan 199
switchport allowed vlan remove 1
switchport mode hybrid
switchport allowed vlan add 150 tagged
spanning-tree cost 100000
spanning-tree edge-port
where vlan 199 is for data and vlan 150 is for voice .
I set following dhcp pool on 2801
ip dhcp pool phones
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
domain-name cmedeis.local
option 150 ip 192.168.150.1
ip dhcp pool PC
network 192.168.199.0 255.255.255.0
default-router 1982.168.199.1
and configured router on a stick as follows
interface FastEthernet0/0.150
description CME interface
encapsulation dot1Q 150
ip address 192.168.150.1 255.255.255.0
interface FastEthernet0/0.199
encapsulation dot1Q 199
ip address 192.168.199.1 255.255.255.0
My problem is that phones connected to the switch ports doesn't recognize tagged
traffic and doesn't take ip of the corrected dhcp pool of 150 vlan.
With a cisco 2960 poe switch i configured switchport voice vlan 150 and
switchport access vlan 199 and all is fine but this small business switch don't
handle switchport voice attribute and i can't separate voice and data vlan .
Someone have idea how to avoid this problem?
Need some help , please.
ByeGood posts as always Christopher!
As Christopher mentions you will need to hard code the voice vlan on all of the phones. The phones will send the voice traffic via this vlan, and the PCs will send untagged traffic.
I hope you do not mind a tangent and I hope this is not too great of a distraction, but the thought of QoS and security came to my mind as I read this post.
Besides the vlan problems, which I am sure we can get through, there is also a concern.
Any chance you would consider a 3560 for this deployment? You have quite a few Cisco phones, a Cisco router, and many PCs. The Cisco switch would give you CDP, which would be useful for the voice vlan and power settings, as well as the important automatic QoS and security settings.
On my 3560, I applied a smart port macro. A smart port macro is a series of best practices / command sets put into a simple to use command. The one I applied is called cisco-phone. Here is the output before and after:
c3560(config)#do sho run int f0/18
interface FastEthernet0/18
end
c3560(config)#int f0/18
c3560(config-if)#macr app cisco-phone
c3560(config-if)#sw voice vlan 5
c3560(config-if)#sw ac vl 1
c3560(config-if)#do sho run int f0/18
interface FastEthernet0/18
switchport mode access
switchport voice vlan 5
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
end
The switch automatically globally enabled mls qos and configured the many class-maps, policy-maps, and applied them all accordingly. As you know, it is important to establish the trust boundaries when doing voice and QoS. These switches also uses SRR which is a very good way of applying shaping.
Does this help? I hope so. Please fire back any thoughts or questions you may have.
Andrew Lee Lissitz -
SG-300 28P switches problem with VLAN Data and Voice, working all the time as Voice VLAN
Hi Everyone,
Thank you very much for your help in advance. I’m pulling my hair to fix the problem.
I just got the new SG-300 28P switches. My Bios ordered for me. I did not know how it runs until now... not an IOS based. I really do not know how to configure it.
I have 2 VLAN are Data and Voice.
- Data VLAN ID is 2 IP 192.168.2.X/255.255.255.0
- Voice VLAN ID is 200 IP 192.168.22.X/255.255.255.0
- I created two vlans, in switch, Data and Voice.
- On the port number 28, it is trunk by default, so I add Data vlan ID 2 tagged.
- On the port number 26, it is trunk by default, so I add Voice vlan ID 200 tagged.
- On the port number 27, I add Data vlan ID 2 tagged for Data vlan out.
- Port settings No.1
I set it up as Trunk with Data vlan 2 untagged, and 200 Tagged (voice vlan). I plugged in a phone with a pc attached. But the PC will get to the vlan 200 to get the DHCP address, but no from vlan 2. The Phone works with correct vlan ip.
- Port settings No.2
Trunk with vlan 1UP, 2T, and 200T. The phone is even worse. Would never pick up any IP from DHCP.
- Port settings No.3
Access with 200U...of course the phone will work... and the PC could not get to its own vlan. Instead, the PC got an ip from the voice vlan. Not from VLAN 2.
I have Linksys phone I’m not sure if this help.
For more information I setup in switch,
- enable voice vlan
- set the port on auto voice vlan
- enable LLDP-MED globally
- create a network policy to assign VLAN 200
- assign this network policy to the port the phone is connected to.
I hope this information help to help me to setup Data and Voice vlans, to plug the phone to work with vlan Voice 200 (IP rang 192.168.22.X), from phone to Pc and pc work as Data vlan 2 (IP rang 192.168.2.X).I just got done setting up voice VLANs on an SF 300-24P and verified working. This was working with Cisco 7900 series phones connected to a Cisco UC setup.
Here's my sample config.
Note that I edited this by hand before posting, so doing a flat out tftp restore probably won't work. However, this should give you a clue. Also, don't take this as 100% accurate or correct. I've only been working with these things for about a week, though I've worked with the older Linksys SRW switches for a couple of years. I'm a CCNP/CCDP.
VLAN 199 is my management VLAN and is the native VLAN on 802.1q trunks.
VLAN 149 is the data/computer VLAN here.
VLAN 111 is the voice/phone VLAN here.
VLAN 107 does nothing.
interface range ethernet e(1-24)
port storm-control broadcast enable
exit
interface ethernet e1
port storm-control include-multicast
exit
interface ethernet e2
port storm-control include-multicast
exit
interface ethernet e3
port storm-control include-multicast
exit
interface ethernet e4
port storm-control include-multicast
exit
interface ethernet e5
port storm-control include-multicast
exit
interface ethernet e6
port storm-control include-multicast
exit
interface ethernet e7
port storm-control include-multicast
exit
interface ethernet e8
port storm-control include-multicast
exit
interface ethernet e9
port storm-control include-multicast
exit
interface ethernet e10
port storm-control include-multicast
exit
interface ethernet e11
port storm-control include-multicast
exit
interface ethernet e12
port storm-control include-multicast
exit
interface ethernet e13
port storm-control include-multicast
exit
interface ethernet e14
port storm-control include-multicast
exit
interface ethernet e15
port storm-control include-multicast
exit
interface ethernet e16
port storm-control include-multicast
exit
interface ethernet e17
port storm-control include-multicast
exit
interface ethernet e18
port storm-control include-multicast
exit
interface ethernet e19
port storm-control include-multicast
exit
interface ethernet e20
port storm-control include-multicast
exit
interface ethernet e21
port storm-control include-multicast
exit
interface ethernet e22
port storm-control include-multicast
exit
interface ethernet e23
port storm-control include-multicast
exit
interface ethernet e24
port storm-control include-multicast
exit
interface range ethernet g(1-4)
description "Uplink trunk"
exit
interface range ethernet g(1-4)
switchport default-vlan tagged
exit
interface range ethernet e(21-24)
switchport mode access
exit
vlan database
vlan 107,111,149,199
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 107
exit
interface range ethernet e(21-24)
switchport access vlan 111
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 111
exit
interface range ethernet e(1-20)
switchport trunk native vlan 149
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 149
exit
interface range ethernet g(1-4)
switchport trunk native vlan 199
exit
voice vlan aging-timeout 5
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
voice vlan oui-table add 108ccf MyCiscoIPPhones1
voice vlan oui-table add 40f4ec MyCiscoIPPhones2
voice vlan oui-table add 8cb64f MyCiscoIPPhones3
voice vlan id 111
voice vlan cos 6 remark
interface ethernet e1
voice vlan enable
exit
interface ethernet e1
voice vlan cos mode all
exit
interface ethernet e2
voice vlan enable
exit
interface ethernet e2
voice vlan cos mode all
exit
interface ethernet e3
voice vlan enable
exit
interface ethernet e3
voice vlan cos mode all
exit
interface ethernet e4
voice vlan enable
exit
interface ethernet e4
voice vlan cos mode all
exit
interface ethernet e5
voice vlan enable
exit
interface ethernet e5
voice vlan cos mode all
exit
interface ethernet e6
voice vlan enable
exit
interface ethernet e6
voice vlan cos mode all
exit
interface ethernet e7
voice vlan enable
exit
interface ethernet e7
voice vlan cos mode all
exit
interface ethernet e8
voice vlan enable
exit
interface ethernet e8
voice vlan cos mode all
exit
interface ethernet e9
voice vlan enable
exit
interface ethernet e9
voice vlan cos mode all
exit
interface ethernet e10
voice vlan enable
exit
interface ethernet e10
voice vlan cos mode all
exit
interface ethernet e11
voice vlan enable
exit
interface ethernet e11
voice vlan cos mode all
exit
interface ethernet e12
voice vlan enable
exit
interface ethernet e12
voice vlan cos mode all
exit
interface ethernet e13
voice vlan enable
exit
interface ethernet e13
voice vlan cos mode all
exit
interface ethernet e14
voice vlan enable
exit
interface ethernet e14
voice vlan cos mode all
exit
interface ethernet e15
voice vlan enable
exit
interface ethernet e15
voice vlan cos mode all
exit
interface ethernet e16
voice vlan enable
exit
interface ethernet e16
voice vlan cos mode all
exit
interface ethernet e17
voice vlan enable
exit
interface ethernet e17
voice vlan cos mode all
exit
interface ethernet e18
voice vlan enable
exit
interface ethernet e18
voice vlan cos mode all
exit
interface ethernet e19
voice vlan enable
exit
interface ethernet e19
voice vlan cos mode all
exit
interface ethernet e20
voice vlan enable
exit
interface ethernet e20
voice vlan cos mode all
exit
interface ethernet e1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e5
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e6
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e7
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e8
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e9
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e10
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e11
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e12
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e13
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e14
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e15
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e16
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e17
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e18
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e19
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e20
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e21
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e22
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e23
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e24
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g1
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g2
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g3
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet g4
lldp optional-tlv port-desc sys-name sys-desc sys-cap 802.3-mac-phy 802.3-lag 802.3-max-frame-size
exit
interface ethernet e1
lldp med notifications topology-change enable
exit
interface ethernet e2
lldp med notifications topology-change enable
exit
interface ethernet e3
lldp med notifications topology-change enable
exit
interface ethernet e4
lldp med notifications topology-change enable
exit
interface ethernet e5
lldp med notifications topology-change enable
exit
interface ethernet e6
lldp med notifications topology-change enable
exit
interface ethernet e7
lldp med notifications topology-change enable
exit
interface ethernet e8
lldp med notifications topology-change enable
exit
interface ethernet e9
lldp med notifications topology-change enable
exit
interface ethernet e10
lldp med notifications topology-change enable
exit
interface ethernet e11
lldp med notifications topology-change enable
exit
interface ethernet e12
lldp med notifications topology-change enable
exit
interface ethernet e13
lldp med notifications topology-change enable
exit
interface ethernet e14
lldp med notifications topology-change enable
exit
interface ethernet e15
lldp med notifications topology-change enable
exit
interface ethernet e16
lldp med notifications topology-change enable
exit
interface ethernet e17
lldp med notifications topology-change enable
exit
interface ethernet e18
lldp med notifications topology-change enable
exit
interface ethernet e19
lldp med notifications topology-change enable
exit
interface ethernet e20
lldp med notifications topology-change enable
exit
interface ethernet e21
lldp med notifications topology-change enable
exit
interface ethernet e22
lldp med notifications topology-change enable
exit
interface ethernet e1
lldp med enable network-policy poe-pse
exit
interface ethernet e2
lldp med enable network-policy poe-pse
exit
interface ethernet e3
lldp med enable network-policy poe-pse
exit
interface ethernet e4
lldp med enable network-policy poe-pse
exit
interface ethernet e5
lldp med enable network-policy poe-pse
exit
interface ethernet e6
lldp med enable network-policy poe-pse
exit
interface ethernet e7
lldp med enable network-policy poe-pse
exit
interface ethernet e8
lldp med enable network-policy poe-pse
exit
interface ethernet e9
lldp med enable network-policy poe-pse
exit
interface ethernet e10
lldp med enable network-policy poe-pse
exit
interface ethernet e11
lldp med enable network-policy poe-pse
exit
interface ethernet e12
lldp med enable network-policy poe-pse
exit
interface ethernet e13
lldp med enable network-policy poe-pse
exit
interface ethernet e14
lldp med enable network-policy poe-pse
exit
interface ethernet e15
lldp med enable network-policy poe-pse
exit
interface ethernet e16
lldp med enable network-policy poe-pse
exit
interface ethernet e17
lldp med enable network-policy poe-pse
exit
interface ethernet e18
lldp med enable network-policy poe-pse
exit
interface ethernet e19
lldp med enable network-policy poe-pse
exit
interface ethernet e20
lldp med enable network-policy poe-pse
exit
interface ethernet e21
lldp med enable network-policy poe-pse
exit
interface ethernet e22
lldp med enable network-policy poe-pse
exit
lldp med network-policy 1 voice vlan 111 vlan-type tagged
interface range ethernet e(1-22)
lldp med network-policy add 1
exit
interface vlan 199
ip address 199.16.30.77 255.255.255.0
exit
ip default-gateway 199.16.30.3
interface vlan 1
no ip address dhcp
exit
no bonjour enable
bonjour service enable csco-sb
bonjour service enable http
bonjour service enable https
bonjour service enable ssh
bonjour service enable telnet
hostname psw1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
management access-list Management1
permit ip-source 10.22.5.5 mask 255.255.255.0
exit
logging 199.16.31.33 severity debugging description mysysloghost
aaa authentication enable Console local
aaa authentication enable SSH tacacs local
aaa authentication enable Telnet local
ip http authentication tacacs local
ip https authentication tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
line telnet
login authentication Telnet
enable authentication Telnet
password admin
exit
line ssh
login authentication SSH
enable authentication SSH
password admin
exit
line console
login authentication Console
enable authentication Console
password admin
exit
username admin password admin level 15
power inline usage-threshold 90
power inline traps enable
ip ssh server
snmp-server location in-the-closet
snmp-server contact [email protected]
ip http exec-timeout 30
ip https server
ip https exec-timeout 30
tacacs-server host 1.2.3.4 key spaceballz timeout 3 priority 10
clock timezone -7
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 199.16.30.1
sntp server 199.16.30.2
ip domain-name mydomain.com
ip name-server 199.16.5.12 199.16.5.13
ip telnet server -
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
Silent Monitor and Call record with voice vlan
We are pretty new to CCX, and want to get silent monitor and call recording working. I've read a bunch of troubleshooting docs, and a bunch of the discussions here, but I am still unable to get it to work the way that I want.
Heres the setup. The phones are all set to the recommended settings, and the agent pc is plugged into the phone. The data vlan is 111 and the voice vlan is 222. When I run the nicq prog on the agent pc, it can not find the phone, but I can enter the ip in , and it sees the phone. The supervisor laptop can not monitor or record.
If I change the voice vlan to 111, nicq still can not find the phone, but the supervisor can record and monitor with no problem. Is is an issue with 802.1q and perhaps my nics do not support it?
CCX Ver:
8.5.1.11004-25Hi
It could be, but it's pretty rare.
Have you enabled 'PC Port Voice VLAN Access' and 'SPAN to PC Port' on the phone?
Have you tried alternate PCs/laptops on the back of that phone?
Aaron -
About SRW224G4P Voice vlan issue
Hi,
I've configured the SRW as many vlan, use vlan 212 for voice, 348 for data and connect with cisco IP Phone.
vlan database
vlan 210-216,345-348
exit
voice vlan id 212
interface fastethernet1
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 212
switchport trunk native vlan 348
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
but when I show voice vlan,
it shows:
=====================================
1ASW01#show voice vlan
Administrate Voice VLAN state is auto-triggered
Operational Voice VLAN state is auto-enabled
Best Local Voice VLAN-ID is 212
Best Local VPT is 5 (default)
Best Local DSCP is 46 (default)
Agreed Voice VLAN is received from switch 34:62:88:73:05:c9
Agreed Voice VLAN priority is 0 (active static source)
Agreed Voice VLAN-ID is 216
Agreed VPT is 5
Agreed DSCP is 46
Agreed Voice VLAN Last Change is 03-May-13 05:06:31
=====================================
I don't know why vlan 216 become the voice vlan ?
I've tried the modified the macro build-in parameters,
macro auto built-in parameters ip_phone $native_vlan 348
macro auto built-in parameters ip_phone_desktop $native_vlan 348
but system could not modify $voice_vlan value.
how to fix it ?Hi Skywings,
So I am guessing the above output is after the change, right? If this is true it looks like something went wrong during the configuration process. Auto Voice VLAN process has two main phases where the first one is related to communication between switches and other Cisco infrastructure devices and synchronizing the Voice VLAN ID. The second phase is related to identifying the end device as phone. What I can see in your case that the first phase is failing somehow since the voice VLAN ID is different than locally configured. Can you share with me your running and also startup config plus CDP neighbours? You may use private message.
Regards,
Aleksandra -
Voice VLAN config with multiple IP Phone systems
We currently have a legacy TDM ACD system used by the Call Centre running alongside CUCM 8.5 which is used by back office and admin staff.
When we implemented the Call Manager we configured all our access ports with the Voice VLAN to make any office moves and changes straight forward, regardless of whether or not the position would have a Cisco phone i.e. a cisco phone could be plugged into any floor port throughout the building and it would register.
Currently I am in the planning stages of replacing the legacy ACD system with Avaya Aura which will be running side by side with CUCM. My concern is that every time there are office moves, the access ports are going to have to be reconfigured to the Voice VLAN of the relevant system depending on which type of phone is at that desk.
Has anyone had similar experiences and found a solution?
Not ideal I presume, but was wondering if we could use the same Voice VLAN for both systems?It's just a VLAN. Don't sweat it, stick them all in the same one. Nothing will explode.
Each phone system will have it's own way of locating the call processor.
CUCM = DHCP Option 150
Mitel = Some other DHCP option (128-130, and some others)
Avaya = DHCP option 176
etc...
So you can set all these on your scope, and each phone type will find it's server...
Aaron -
Cat 3750 with Voice VLAN and Dynamic VLANs
Morning,
Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
Is a RADIUS server able to provide values to change the native vlan?
Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
Thanks,Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
switchport voice vlan 100
This is effectively the same as:
interface FastEthernet0/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,100
The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
QoS is not detailed anywhere here and that obviously plays an important role with voice.
In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
HTH
Andy -
Hi guys,
recently i have configured the dot1x security feature on the cisco c3650x switches with IOS 15.2(1)E. But when I added voice vlan to the port, the ip phone can't register.
My switch port configuration as below:
interface GigabitEthernet0/47
switchport mode access
switchport voice vlan 60
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security mac-address sticky
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
authentication event fail action authorize vlan 203
authentication event no-response action authorize vlan 203
authentication host-mode multi-host
authentication port-control auto
mls qos trust device cisco-phone
mls qos trust cos
macro description USER
dot1x pae authenticator
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
Guys, please advice is there any other feature shuld be activated on swith to resolve this issue? i done all configuration on guidance of cisco documents.
BR
Rashadduplicate post: https://supportforums.cisco.com/thread/2248853?tstart=0
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
SG300 voice vlan problem with UC520
Hi Forumers'
My problem statement:
- refere to attached topology.png, this is how my network structure look like
- the IP phone after boot cannot get connected, so it can't download the XML config file from UC520. suspicious switching problem.
- my configuration shown at topology.png and my vlan voice config show as voice vlan setting.png
- My requirement is SG300 switch single switchport to carry vlan data and vlan voice.
- what is the trunking mode for voice VLAN siwth a IP phone+data should i configure? is it switchport voice vlan vvid, switchport voice vlan dot1p, switchport voice vlan untagged or switchport voice vlan none to suite above requirement?
thanks
NoelHello Noel,
Sorry for the late reply, things have been quite hectic around here lately
1. Why use trunk? the UC520 only have vlan voice (vlan 20)
Do you mean that the data VLAN is handled by another device ? Still I would leave it as a trunk in order to be able manage the UC through the data VLAN. (Unless for security or other reasons you would choose otherwise of course)
2. The UC520 got CUE (voice messaging), how should i design the service module uplink to the core switch?
Nothing in particular has to be done for this, CUE is handled and routed inside the UC520, the CUE vlan (default ID =90) is only used if you have another CUE in the network
1. i guess i did this: swithcport tagged vlan 20, untagged vlan 10. is it ok for this setting?
If the Voice Vlan on the switch and on the UC520 has been defined as VLAN 20 (default = VLAN 100) this is perfect. Verify if both on the UC and on the switch, the voice VLAN ID is set to 20.
1. so if i just point the phone to vlan 20 (vlan voice), should i create the LLDP network policy?
If you are ready to configure the VLAN manually on the phone, you don't need the LLDP policy, that is correct.
The LLDP policy is being used for having the phones automatically choose the VLAN you defined, so you don't need to set it manually.
Hope this answers your questions ?
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA -
Hi,
I am working on a LAN Design that incorporates both Voice and Data and wondered if it is possible to have a switchport configured to be private VLAN and have a Voice VLAN configured as well
ThanksNo, according to the configuration guide on Private vlans:
Do not configure private VLAN ports on interfaces configured for these other features:
?Port Aggregation Protocol (PAgP)
?Link Aggregation Control Protocol (LACP)
?Voice VLAN
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm
Please rate all posts. -
802.1x, voice vlan and IP phone
Hi, I reviewed many posts here, and I still need the clarification how 802.1x on the switch works with non-Cisco IP phone (not supporting CDP) and PC connected to the PC port. If I configure 802.1x on a switch port, along with access and voice vlan, next I configure the static voice vlan on the non-Cisco phone, will it be possible to authenticate the user on the PC and bypass authentication for IP phone? Is CDP required in such scenario - (non-Cisco IP phone doesn't support it)?
Regards,
KrzysztofYou need CDP for touchless interop. CDP can of course be spoofed though, so proceed with caustion anyway.
You need multi-domain authentication to appropriately deal with non-Cisco phones and port-based access-control. See here to get started:
<http://www.cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a008077a284.html#wp1231964>
Hope this helps,
Maybe you are looking for
-
SRM7 grouping items in RFx despite of multiple delivery date and locations
Hi Gurus, I need to know for a proposal of SRM 7 implementation, WITHOUT the newest E-sourcing component, how to solve the following scenario: We are gonna use the SRM7 classic scenario where PO is created in ERP and Shopping cart is created in SR
-
www.acemon.com The site passes validation but doesn't display properly. Underneath the header are two divs, "introtext1" and "introtext2" and even though the code for each is identical (aside from the left margin), they won't line up at the top. Ther
-
What is the purpose of IA32.api plugin and how to disable it.?
Hello, We have an issue with this plugin in our company. This plugin is making IE Crash. I would like to properly disable this to workaround the issue. Questions: 1°) What is the purpose of this plugin? i heard it's about AutoUpdate, is this true? if
-
Migration from SQL Server to Oracle issue
Hi, While trying to migrate SQL Server to Oracle via Standard Migration method, I got stuck at the point where it says..... To perform online capture, right-click the connection name in the Connections navigator and select Capture database-type (for
-
Hi Gurus, I'm gettin an error like "vn missing in tax procedure TAXIN"....TAXIN is the tax procedure I created for country india by just copying from the existing procedures in SAP. What should I do now? Regards.. Mohamed Nazim. [email prot