Voice VLANs - Best practices

Similar Messages

• VLAN Best Practices

  We've just upgraded our wireless infrastructure and streamlined our SSIDs from five (5) to three (3) - Corporate, Guest and Voice. In regards to VLANs, should all Coporate devices (Notebooks, Tablets, Smartphones) be included in one (1) VLAN or should we create three (3) separate VLANs one per device type. What are the best practices? My concern with having one VLAN with all Corporate devices is the amount of devices in the same VLAN and the impact of having Tablets (iPads, Androids) and Smartphones on the same VLAN in terms of network traffic (broadcast, bonjour, etc...) Any comments or suggestion would be greatly appreciated.

  Thanks for the quick reply Stephen! This is somewhat how we have our environment setup. We have an 802.1x SSID and depending on your AD credentials and device type you're dynamically pushed to a VLAN. What I'm questioning are how many VLANS I should have. We are a Community College and have corporate or college own notebooks, tablets and smartphone and we also have student own notebooks, tablets and smartphones. Not sure if I should create 6 VLANs and then apply ACL base on the VLAN or is this overkill. Or have 3 VLANs one per device type, therefore corporate and student notebooks would be in the same VLAN and the corporate and student tablets would be in the same VLAN and finally corporate and student smartphones would be in the same VLAN and then use dACL to differentiate access. Or finally, create two VLANS, one for corporate devices and one for students devices and again use dACL to differentiate access. Not sure what are the pros and cons are for these different scenarios.
  Sent from Cisco Technical Support iPhone App

• VLAN Best Practice For IT Computers

  In an environment with basic VLANs (Servers, network infrastructure, workstations, IoT devices, wireless), is it commonly perceived as better to place IT workstations (around 6 or so) in their own VLAN?
  I suppose I am debating whether to create access control rules for a single IT VLAN or to stick them elsewhere and possibly have to create the same rules for each separate machine if the VLAN they're in does not share the same rules.  Initially all our VLANs will be without access control rules but will be dialed down incrementally, with testing.  Maybe that doesn't make sense...
  Where do others find IT workstations fit best, in their own VLAN or tucked away elsewhere (and with what)?
  This topic first appeared in the Spiceworks Community

  Whether you have multiple sites or not, it's good practice to put your APs in a separate and dedicated VLAN. 
  If your sites are routed sites, then you can re-use the same VLAN numbers but make sure they are on separate subnets and/or VRF instance.

• Spanning Tree MST per Vlan, best practice

  Hi Community.
  I did the following MST Spanning Tree Config
  spanning-tree mst configuration
    name xxxxxxx
    revision1
    instance 1 vlan 1, 10-20, 25, 30
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  I see lots of MAC Flaps on ports with two Server links and the outage is for some seconds.
  Is it a better practice to add all possible Vlans to the config. So I do the config like that:
    instance 1 vlan 1-4096
  What you think.
  Best Regards patrick

  Hi,
  So I added every Vlan to the config which we use. But every time when I add one more vlan to the config the whole network get a little outage.
  Correct, that is normal behavior with MST.
  I would just add "instance 1 vlan 1-4094" this way there is no outage when you bring up a new vlan.
  HTH

• Vlan best practice?

  Hello
  I have two 3560's that I have to monitor but wont physically be on my network. I vlan'd these switches so that one port would be seperated strictly so I could uplink them with my physical network for SMTP and monitoring.
  My question is what port settings are best for this one port that goes back to my network? I would assume that technically being a trunk the port should be switchport mode trunk? and not access.
  Funny thing is that when I set it as trunk and plug it in i see a topo change propogate out. Whereas when its set for switchport mode access I do not. STP is running in PVST
  port stats are as follows
  switchport access vlan 2
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast
  i'm confused as to why this mode would cause the topo changes.
  thanks
  Eric

  Hi,
  you have configured a port to access vlan2. Also the same port as trunk port.
  Note:Trunk ports are supposed to carry all VLans but not a single vlan.
  If you using only a single vlan means trunk port can be used to connect between a switch & a router. In that case you can use switch's uplink port as the trunk port.
  eg: int faeth 0/24
  switchport trunk encapsulation dot1q
  switchport mode trunk
  spanning-tree portfast
  Also in router the same:
  #encapsulation dot1q
  Portfast: If a port with portfast enabled means you should connect a device into it eg:switch/router/bridge but not a system becoz port with portfast enabled will make the port to comeup immediately even if goesdown ie., it skips the initial/listen state during the process and directly comes to forwarding state.
  If a system is connected to a port with portfast enabled means STP loop may form and network congestion may occur.
  Hope this will help you a lot!!!!
  Plz rate if this help you!!!!
  Regards,
  Guru Prasad.R

• Best practices for 1000v CTRL/PKT/MGT VLANs

  We are getting ready to start testing the 1000v in a lab environment, but have a question about VLAN best practices. In the current Cisco 1000v guides it indicates the control/packet/management interfaces should all be on the same VLAN. But elsewhere I've seen references to each network type getting its own VLAN. Given the latest release of the 1000v VSM/VEM, what is the real world best pracices for these three interfaces? Would you typically put all three on the same management VLAN used for physical switches?

  You can safely put them on the same vlan. The call to put them on different vlans was in the initial 1.1 release. We changed that view with the 1.2 release and fully support and recommend putting them all on the same vlan. The only requirement now is that we need no more than 100ms latency on the control network.
  louis

• Best Practices to separate voice and Data vlans

  Hello All .
  I am coming to the community to get some advices on a specific subject .
  One of my customer is actually using vlan access-list to isolate it is data  from it is voice vlan traffic .
  As most of us knows VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues they have been looking for a replacement solution consisting of firewalls but apparently the price of the solution was too high in the sky .
  Can someone guide me towards security best practices when it comes to data and voice vlan traffic isolation please ?
  thanks
  Regards
  T.

  thomas.fayet wrote:Hi again Collin , May I ask you what type of fw / switches / ios version you are using for this topology ? Also is the media traffic going through your fw if one voice vlan wants to talk to another voice vlan ? rgds
  Access Switches: 3560
  Distro: 4500 or 6500
  FW: ASA5510 or Juniper SSG 140 (phasing out the Junipers)
  It depends. In the drawing above, no voice traffic would leave the voice enclave until it talks to a remote site. If we add other sites to the drawing, at a minimum call-sig would traverse the firewall and depending on the location of the callers, all voice traffic may cross the firewall. All of that depends on how you have your call managers/vm/voice gateways designed and where the callers are.

• Questions VLAN design best practices

  As per best practices for VLAN design:
  1) Avoid using VLAN 1 as the “blackhole” for all unused ports.
  2) In the local VLANs model, avoid VTP (use transparent mode).
  Point 1
  In a big network, I'm having VLAN 1 as the blackhole VLAN. I'd like to confirm that, even if we're not complying with best practices, we're still doing fine.
  a) all trunk ports on all switches have the allowed vlans explicitly assigned.
  b) about all ports on all switches are assigned to specific data/voice vlans, even if shutted down
  c) the remaining ports (some unused sfp ports for example) are shutted down
  d) we always tag the native vlan (vlan dot1q tag native)
  So, no data is flowing anywhere on VLAN 1. In our situation, it is safe to use VLAN 1 as blackhole VLAN?
  Point 2
  Event if we're using local VLANs model, we have VTP in place. What are the reasons of the best practice? As already said, we allow only specific VLANs on trunk ports (it's part of our network policy), so we do not have undesired layer 2 loops to deal with.
  Any thoughs?
  Bye
  Dario

  We are currently using VTP version 3 and migrating from Rapid-PVST to MST.
  The main reason for having VTP in place (at least for use) is to have the ability to assign ports to the correct VLAN in each site simply looking at the propagated VLAN database and to manage that database centrally.
  We also avoid using the same VLAN ID at two different sites.
  However, I did find something to look deeped: with MST and VTP, a remote switch can be root for a VLAN it doesn't even use or as active ports into, and this doesn't feel right.
  An example:
  1) switch1 and switch528 share a link with allowed vlan 100
  2) switch1 is the root for instances 0 and 1
  4) VLAN 100 is assigned to instance 1
  5) VLAN 528 is not assigned to any particular instance so it goes under instance 0
  6) VLAN 528 is the Local Data LAN for switch528 (switch501 has VLAN 501)
  swtich528#sh spanning-tree vlan 528
  MST0
    Spanning tree enabled protocol mstp
    Root ID    Priority    24576
               Address     1c6a.7a7c.af80
               Cost        0
               Port        25 (GigabitEthernet1/1)
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    32768  (priority 32768 sys-id-ext 0)
               Address     1cde.a7f8.4380
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Gi0/1               Desg FWD 20000     128.1    P2p Bound(PVST)
  Gi0/2               Desg FWD 20000     128.2    P2p Edge
  Gi0/3               Desg FWD 200000    128.3    P2p Edge
  Gi0/4               Desg FWD 200000    128.4    P2p
  Gi0/5               Desg FWD 20000     128.5    P2p Edge
  switch1#sh spanning-tree vlan 501
  MST0
    Spanning tree enabled protocol mstp
    Root ID    Priority    24576
               Address     1c6a.7a7c.af80
               This bridge is the root
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    24576  (priority 24576 sys-id-ext 0)
               Address     1c6a.7a7c.af80
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Should I worry about this?

• Best Practice - Public VLAN

  Looking for a best practice document for providing a secure, public access/internet only VLAN for both wired, and wireless. Need to provide additional secure access WLAN as well.

  You can create separate VLANs for the guest users. You can assign privileges to the guest users based on the SSID. For more information on how to configure VLANs in a Wireless network read the document avaiable at
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804ed724.html#wp1002608

• Best practice for Wireless ap vlan

  Is there a best practice for grouping lightweight access points in one vlan or allowing them to be spread across several ??

  Whether you have multiple sites or not, it's good practice to put your APs in a separate and dedicated VLAN. 
  If your sites are routed sites, then you can re-use the same VLAN numbers but make sure they are on separate subnets and/or VRF instance.

• Best Practice VLAN

  Hi All,
  I have got
  1 of Cisco 3560 (EMI) as Core Switch
  1 of Cisco 3560 (SMI) as Server Switch
  10 of Cisco CE500 as workgroup switches
  4 of different brands workgroup switches
  20 Servers
  300 Users
  10 different departments
  My intensions are to create VLANs on 3560 Core Switch as Server, Finance, Marketing etc
  and connect the the server and workgroup switches to the appropriate ports for their Defined VLANs on 3560Core switch.
  I dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
  Or Can anyone suggest what should be the best practice in this situation.
  thanks
  Muhammad

  I dont think i need to run VTP Server on core switch as i am going to have all VLANS within that switch?
  >> then you need to make the VTP a tranparent mode as you cannot create a vlan on a VTP client. I think maybe what you meant is you will have all user in a particular switch be in the same vlan, for example,
  3560 1/1---vlan 5---CE500---users in vlan 5
  In this case you do not need trunking .
  Or Can anyone suggest what should be the best practice in this situation.
  >> If your planned set-up is identical to above then this is an acceptable set-up and actually quite good for it's simplicity.
  Please rate helpful posts.

• Best practices for Voice over MetroRing

  Hi, We have installed a MetroRing Gigabit Ethernet using 3550 and 6500 Catalyst switches. Today, only data is running, but looking at tomorrow, when voice/video be requested, I am trying to find some best practices for QoS or traffic classification. If you can point me to some of them will be great.

  Hi,
  You might also find those useful: " LAN QoS"
  http://www.cisco.com/web/about/ac123/ac147/ac174/ac176/about_cisco_ipj_archive_article09186a00800c83cd.html
  and "Cisco AutoQoS White Paper"
  http://www.cisco.com/en/US/tech/tk543/tk759/technologies_white_paper09186a00801348bc.shtml
  as well as "Configuring QoS" for Catalyst 6500 switches
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007fb2b.html
  The most comprehensive starting point will be: "Quality of Service (QoS)"
  http://www.cisco.com/en/US/tech/tk543/tsd_technology_support_category_home.html
  Did this help?
  Martin

• Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

  Dear Folks,
  Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
  Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
  Thanks,
  Regards,
  Mubasher
  My Interface Configuration is as below;
  interface GigabitEthernet1/34
  switchport access vlan 131
  switchport mode access
  switchport voice vlan 195
  ip access-group ACL-DEFAULT in
  authentication event fail action authorize vlan 131
  authentication event server dead action authorize vlan 131
  authentication event server alive action reinitialize
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  snmp trap mac-notification change added
  dot1x pae authenticator
  dot1x timeout tx-period 5
  storm-control broadcast level 30.00
  spanning-tree portfast
  spanning-tree bpduguard enable

  Hello Mubashir,
  Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
  Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Best practice to use PXE on 802.1X network ?

  Hello,
  We use Cisco ISE 1.2.0.899 on our network (we plan to upgrade to 1.3 in some months).
  Our network includes Cisco models 2960S (and some 2960T) about wired and 2602I (with WISM2) about wireless.
  We have to allow PXE boot on one (or many) VLAN.
  Do you know what's the best practice to use PXE on a 802.1X network ?
  Does ISE and/or Switch can recognize PXE request?
  Do we have to use settings/rules into ISE or on Switch?
  Does the easy way is to allow PXE on WebAuth VLAN?
  Regards,
  Chris

  I am in a similar position.
  We would prefer to keep all switch ports common, even those used for imaging from scratch.
  For PXE as far as I can see we need to allow the port to quickly fail 802.1X and MAB to a remediation VLAN.
  Using ISE we can apply an ACL that allows PXE bootp and dhcp requests and responses along with any other traffic we want in that network i.e. access to internet proxy server, anti-virus updates for posturing etc.
  I haven't configured this yet so I'm not sure of what issues we'll face with timing. We currently use an auth pattern of 802.1X first, then MAB, then fail open to the static VLAN. With ISE 1.3 this is the supposed suggested method instead of a hard "closed" mode. 
   switchport access vlan XX
   switchport mode access
   network-policy VV
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan XX
   authentication event server dead action authorize voice
   authentication host-mode multi-domain
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10

• Setting up a Test Voice VLAN for Lync 2013

  I want to set up a second voice vlan to be a test vlan.
  In the current situation the customer has voice and data running on  vlan1. The customer insist on taking incremental steps to improve QoS. I have advocated separated vlans for voice and data. They just want to move everything (phase 1) to a different
  vlan. They want to see how getting all traffic of vlan 1 will improve there performance. Again, I recommended the best practice, they want to try this approach first.
  I am conducting a pilot test with just one cx600 IP phone. and a single switchport. I created a new vlan99 using VTP.  I configured the switchports on the Cisco 2960-x switch as follows.
  #switchport mode access
  #switchport access vlan 99
  The phone gets its correct vlan id, and pulls its IP from the correct dhcp scope. However the phone displays "connecting with the lync server" for a long time, then "connecting to download its certificates". This takes a long time then fails.
  If I change the switchport back to vlan1 it works fine. What can be the problem? Does the vlan99 need to be defined on the lync server? How many vlans can be supported by Lync 2013?
  Thank you,
  gigiu

  Did you set the VLAN Configuration for Lync Phone Edition?
  You can check the following links:
  http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
  http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Lisa Zheng
  TechNet Community Support