Voice VLANs - Best practices
Hello --
We're starting an IPT project that will involve multiple access VLANs for different organizational groups. That said, should we also create multiple voice VLANs per group/building or will one flat VLAN work for voice? The backbone is GigE, so we aren't too concerned about bandwidth.
What are the pros and cons, and best practices that the community has seen?
Please let me know.
Thanks,
OOU
I have some documents explaining about understanding and configuring voice vlans. I believe these documents will be helpful for you.
http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configuration_guide_chapter09186a00801ce02c.html
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde84.html
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf35.html
Similar Messages
-
We've just upgraded our wireless infrastructure and streamlined our SSIDs from five (5) to three (3) - Corporate, Guest and Voice. In regards to VLANs, should all Coporate devices (Notebooks, Tablets, Smartphones) be included in one (1) VLAN or should we create three (3) separate VLANs one per device type. What are the best practices? My concern with having one VLAN with all Corporate devices is the amount of devices in the same VLAN and the impact of having Tablets (iPads, Androids) and Smartphones on the same VLAN in terms of network traffic (broadcast, bonjour, etc...) Any comments or suggestion would be greatly appreciated.
Thanks for the quick reply Stephen! This is somewhat how we have our environment setup. We have an 802.1x SSID and depending on your AD credentials and device type you're dynamically pushed to a VLAN. What I'm questioning are how many VLANS I should have. We are a Community College and have corporate or college own notebooks, tablets and smartphone and we also have student own notebooks, tablets and smartphones. Not sure if I should create 6 VLANs and then apply ACL base on the VLAN or is this overkill. Or have 3 VLANs one per device type, therefore corporate and student notebooks would be in the same VLAN and the corporate and student tablets would be in the same VLAN and finally corporate and student smartphones would be in the same VLAN and then use dACL to differentiate access. Or finally, create two VLANS, one for corporate devices and one for students devices and again use dACL to differentiate access. Not sure what are the pros and cons are for these different scenarios.
Sent from Cisco Technical Support iPhone App -
VLAN Best Practice For IT Computers
In an environment with basic VLANs (Servers, network infrastructure, workstations, IoT devices, wireless), is it commonly perceived as better to place IT workstations (around 6 or so) in their own VLAN?
I suppose I am debating whether to create access control rules for a single IT VLAN or to stick them elsewhere and possibly have to create the same rules for each separate machine if the VLAN they're in does not share the same rules. Initially all our VLANs will be without access control rules but will be dialed down incrementally, with testing. Maybe that doesn't make sense...
Where do others find IT workstations fit best, in their own VLAN or tucked away elsewhere (and with what)?
This topic first appeared in the Spiceworks CommunityWhether you have multiple sites or not, it's good practice to put your APs in a separate and dedicated VLAN.
If your sites are routed sites, then you can re-use the same VLAN numbers but make sure they are on separate subnets and/or VRF instance. -
Spanning Tree MST per Vlan, best practice
Hi Community.
I did the following MST Spanning Tree Config
spanning-tree mst configuration
name xxxxxxx
revision1
instance 1 vlan 1, 10-20, 25, 30
So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
I see lots of MAC Flaps on ports with two Server links and the outage is for some seconds.
Is it a better practice to add all possible Vlans to the config. So I do the config like that:
instance 1 vlan 1-4096
What you think.
Best Regards patrickHi,
So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
Correct, that is normal behavior with MST.
I would just add "instance 1 vlan 1-4094" this way there is no outage when you bring up a new vlan.
HTH -
Hello
I have two 3560's that I have to monitor but wont physically be on my network. I vlan'd these switches so that one port would be seperated strictly so I could uplink them with my physical network for SMTP and monitoring.
My question is what port settings are best for this one port that goes back to my network? I would assume that technically being a trunk the port should be switchport mode trunk? and not access.
Funny thing is that when I set it as trunk and plug it in i see a topo change propogate out. Whereas when its set for switchport mode access I do not. STP is running in PVST
port stats are as follows
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
i'm confused as to why this mode would cause the topo changes.
thanks
EricHi,
you have configured a port to access vlan2. Also the same port as trunk port.
Note:Trunk ports are supposed to carry all VLans but not a single vlan.
If you using only a single vlan means trunk port can be used to connect between a switch & a router. In that case you can use switch's uplink port as the trunk port.
eg: int faeth 0/24
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
Also in router the same:
#encapsulation dot1q
Portfast: If a port with portfast enabled means you should connect a device into it eg:switch/router/bridge but not a system becoz port with portfast enabled will make the port to comeup immediately even if goesdown ie., it skips the initial/listen state during the process and directly comes to forwarding state.
If a system is connected to a port with portfast enabled means STP loop may form and network congestion may occur.
Hope this will help you a lot!!!!
Plz rate if this help you!!!!
Regards,
Guru Prasad.R -
Best practices for 1000v CTRL/PKT/MGT VLANs
We are getting ready to start testing the 1000v in a lab environment, but have a question about VLAN best practices. In the current Cisco 1000v guides it indicates the control/packet/management interfaces should all be on the same VLAN. But elsewhere I've seen references to each network type getting its own VLAN. Given the latest release of the 1000v VSM/VEM, what is the real world best pracices for these three interfaces? Would you typically put all three on the same management VLAN used for physical switches?
You can safely put them on the same vlan. The call to put them on different vlans was in the initial 1.1 release. We changed that view with the 1.2 release and fully support and recommend putting them all on the same vlan. The only requirement now is that we need no more than 100ms latency on the control network.
louis -
Best Practices to separate voice and Data vlans
Hello All .
I am coming to the community to get some advices on a specific subject .
One of my customer is actually using vlan access-list to isolate it is data from it is voice vlan traffic .
As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
thanks
Regards
T.thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
Access Switches: 3560
Distro: 4500 or 6500
FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are. -
Questions VLAN design best practices
As per best practices for VLAN design:
1) Avoid using VLAN 1 as the “blackhole” for all unused ports.
2) In the local VLANs model, avoid VTP (use transparent mode).
Point 1
In a big network, I'm having VLAN 1 as the blackhole VLAN. I'd like to confirm that, even if we're not complying with best practices, we're still doing fine.
a) all trunk ports on all switches have the allowed vlans explicitly assigned.
b) about all ports on all switches are assigned to specific data/voice vlans, even if shutted down
c) the remaining ports (some unused sfp ports for example) are shutted down
d) we always tag the native vlan (vlan dot1q tag native)
So, no data is flowing anywhere on VLAN 1. In our situation, it is safe to use VLAN 1 as blackhole VLAN?
Point 2
Event if we're using local VLANs model, we have VTP in place. What are the reasons of the best practice? As already said, we allow only specific VLANs on trunk ports (it's part of our network policy), so we do not have undesired layer 2 loops to deal with.
Any thoughs?
Bye
DarioWe are currently using VTP version 3 and migrating from Rapid-PVST to MST.
The main reason for having VTP in place (at least for use) is to have the ability to assign ports to the correct VLAN in each site simply looking at the propagated VLAN database and to manage that database centrally.
We also avoid using the same VLAN ID at two different sites.
However, I did find something to look deeped: with MST and VTP, a remote switch can be root for a VLAN it doesn't even use or as active ports into, and this doesn't feel right.
An example:
1) switch1 and switch528 share a link with allowed vlan 100
2) switch1 is the root for instances 0 and 1
4) VLAN 100 is assigned to instance 1
5) VLAN 528 is not assigned to any particular instance so it goes under instance 0
6) VLAN 528 is the Local Data LAN for switch528 (switch501 has VLAN 501)
swtich528#sh spanning-tree vlan 528
MST0
Spanning tree enabled protocol mstp
Root ID Priority 24576
Address 1c6a.7a7c.af80
Cost 0
Port 25 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 1cde.a7f8.4380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Gi0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi0/2 Desg FWD 20000 128.2 P2p Edge
Gi0/3 Desg FWD 200000 128.3 P2p Edge
Gi0/4 Desg FWD 200000 128.4 P2p
Gi0/5 Desg FWD 20000 128.5 P2p Edge
switch1#sh spanning-tree vlan 501
MST0
Spanning tree enabled protocol mstp
Root ID Priority 24576
Address 1c6a.7a7c.af80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24576 (priority 24576 sys-id-ext 0)
Address 1c6a.7a7c.af80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Should I worry about this? -
Looking for a best practice document for providing a secure, public access/internet only VLAN for both wired, and wireless. Need to provide additional secure access WLAN as well.
You can create separate VLANs for the guest users. You can assign privileges to the guest users based on the SSID. For more information on how to configure VLANs in a Wireless network read the document avaiable at
http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804ed724.html#wp1002608 -
Best practice for Wireless ap vlan
Is there a best practice for grouping lightweight access points in one vlan or allowing them to be spread across several ??
Whether you have multiple sites or not, it's good practice to put your APs in a separate and dedicated VLAN.
If your sites are routed sites, then you can re-use the same VLAN numbers but make sure they are on separate subnets and/or VRF instance. -
Hi All,
I have got
1 of Cisco 3560 (EMI) as Core Switch
1 of Cisco 3560 (SMI) as Server Switch
10 of Cisco CE500 as workgroup switches
4 of different brands workgroup switches
20 Servers
300 Users
10 different departments
My intensions are to create VLANs on 3560 Core Switch as Server, Finance, Marketing etc
and connect the the server and workgroup switches to the appropriate ports for their Defined VLANs on 3560Core switch.
I dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
Or Can anyone suggest what should be the best practice in this situation.
thanks
MuhammadI dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
>> then you need to make the VTP a tranparent mode as you cannot create a vlan on a VTP client. I think maybe what you meant is you will have all user in a particular switch be in the same vlan, for example,
3560 1/1---vlan 5---CE500---users in vlan 5
In this case you do not need trunking .
Or Can anyone suggest what should be the best practice in this situation.
>> If your planned set-up is identical to above then this is an acceptable set-up and actually quite good for it's simplicity.
Please rate helpful posts. -
Best practices for Voice over MetroRing
Hi, We have installed a MetroRing Gigabit Ethernet using 3550 and 6500 Catalyst switches. Today, only data is running, but looking at tomorrow, when voice/video be requested, I am trying to find some best practices for QoS or traffic classification. If you can point me to some of them will be great.
Hi,
You might also find those useful: " LAN QoS"
http://www.cisco.com/web/about/ac123/ac147/ac174/ac176/about_cisco_ipj_archive_article09186a00800c83cd.html
and "Cisco AutoQoS White Paper"
http://www.cisco.com/en/US/tech/tk543/tk759/technologies_white_paper09186a00801348bc.shtml
as well as "Configuring QoS" for Catalyst 6500 switches
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007fb2b.html
The most comprehensive starting point will be: "Quality of Service (QoS)"
http://www.cisco.com/en/US/tech/tk543/tsd_technology_support_category_home.html
Did this help?
Martin -
Dear Folks,
Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
Thanks,
Regards,
Mubasher
My Interface Configuration is as below;
interface GigabitEthernet1/34
switchport access vlan 131
switchport mode access
switchport voice vlan 195
ip access-group ACL-DEFAULT in
authentication event fail action authorize vlan 131
authentication event server dead action authorize vlan 131
authentication event server alive action reinitialize
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 30.00
spanning-tree portfast
spanning-tree bpduguard enableHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
Best practice to use PXE on 802.1X network ?
Hello,
We use Cisco ISE 1.2.0.899 on our network (we plan to upgrade to 1.3 in some months).
Our network includes Cisco models 2960S (and some 2960T) about wired and 2602I (with WISM2) about wireless.
We have to allow PXE boot on one (or many) VLAN.
Do you know what's the best practice to use PXE on a 802.1X network ?
Does ISE and/or Switch can recognize PXE request?
Do we have to use settings/rules into ISE or on Switch?
Does the easy way is to allow PXE on WebAuth VLAN?
Regards,
ChrisI am in a similar position.
We would prefer to keep all switch ports common, even those used for imaging from scratch.
For PXE as far as I can see we need to allow the port to quickly fail 802.1X and MAB to a remediation VLAN.
Using ISE we can apply an ACL that allows PXE bootp and dhcp requests and responses along with any other traffic we want in that network i.e. access to internet proxy server, anti-virus updates for posturing etc.
I haven't configured this yet so I'm not sure of what issues we'll face with timing. We currently use an auth pattern of 802.1X first, then MAB, then fail open to the static VLAN. With ISE 1.3 this is the supposed suggested method instead of a hard "closed" mode.
switchport access vlan XX
switchport mode access
network-policy VV
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan XX
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10 -
Setting up a Test Voice VLAN for Lync 2013
I want to set up a second voice vlan to be a test vlan.
In the current situation the customer has voice and data running on vlan1. The customer insist on taking incremental steps to improve QoS. I have advocated separated vlans for voice and data. They just want to move everything (phase 1) to a different
vlan. They want to see how getting all traffic of vlan 1 will improve there performance. Again, I recommended the best practice, they want to try this approach first.
I am conducting a pilot test with just one cx600 IP phone. and a single switchport. I created a new vlan99 using VTP. I configured the switchports on the Cisco 2960-x switch as follows.
#switchport mode access
#switchport access vlan 99
The phone gets its correct vlan id, and pulls its IP from the correct dhcp scope. However the phone displays "connecting with the lync server" for a long time, then "connecting to download its certificates". This takes a long time then fails.
If I change the switchport back to vlan1 it works fine. What can be the problem? Does the vlan99 need to be defined on the lync server? How many vlans can be supported by Lync 2013?
Thank you,
gigiuDid you set the VLAN Configuration for Lync Phone Edition?
You can check the following links:
http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
make sure that you completely understand the risk before retrieving any suggestions from the above link.
Lisa Zheng
TechNet Community Support
Maybe you are looking for
-
i tried everything to disable my ipod but ti still shows ipod is disable
-
Theme use not working... what am I missing?
Hello All, I am attempting to style an inputText component. I want to limit the style to just one panel, so I've decided to use a theme. In web.xml I've added the following two context entries: <context-param> <param-name>oracle.adf.view.rich.tonalst
-
Apple TV error message HDMI doesn't support HDCP
Apple TV error message HDMI doesn't support HDCP
-
OS 10.9.3 blocks Open Office as the devellopers are unknown and the program is not from the app store. by downloading and installing Open office 4.0.1 was removed so here is no returning back!???
-
I have an iPod Touch and Canon Powershot camera. I don't mind iPhoto loading when I connect the camera, but having it start whenever the iPod connects is getting on my nerves. There probably isn't a way to tell it not to start up with just the camera