RE: Voice VLAN - Access ports

From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Mon Jun 27 2005 - 21:28:19 GMT-3

• Next message: George Cassels: "RE: using nssa and area X range together"
• Previous message: Chris Lewis \(chrlewis\): "RE: same subnet IPs used on 2 different interfaces"
• Maybe in reply to: gladston@br.ibm.com: "Voice VLAN - Access ports"
• Next in thread: Ed Lui: "Re: Voice VLAN - Access ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am digging around internally to get the answers to these questions and
will post when I get them.

Chris

________________________________

From: gladston@br.ibm.com [mailto:gladston@br.ibm.com]
Sent: Monday, June 27, 2005 7:17 PM
To: Chris Lewis (chrlewis)
Cc: ccielab@groupstudy.com; Ed Lui; John Matus
Subject: RE: Voice VLAN - Access ports

Thanks for this invaluable feedback.

Looking at Maurilio's book, page 96, as Chris pointed:

Would you agree with the author statement "Ensure...that the native vlan
is 2".
As I see it, it is not necessary to configure native vlan (to have vlan
2 for data and vlan 50 for voice). One could let the native vlan as
default, configure the voice vlan to 50 and the data vlan to 2.

Do you see any reason to configure native vlan to the same vlan as the
data vlan? (my point is that as 7960 talks dot1q, it can tag data vlan
to any value)

Have you seen voice vlan configured on a access port? (I am asking this
because on the last time I posted this subject - sorry to post it again,
but it was not clear - a guy said it was possible). I argued: "How
would the voice vlan be transported if there is no dot1Q?" (similar as
Chris explained) and the guy answered that it was an exception.
It is hard to understand when the hardware is not available to test :)

Cordially
------------------------------------------------------------------
Gladston

"Chris Lewis \(chrlewis\)" <chrlewis@cisco.com>

25/06/2005 12:31

To
"Ed Lui" <edwlui@gmail.com>
cc
"John Matus" <jmatus@pacbell.net>, Alaerte Gladston
Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
Subject
RE: Voice VLAN - Access ports

Hi Ed,

Thanks for the reply, this has been a valuable exchange for me, as it
has made me rethink some things. However, please consider that Cisco
documentation on the web is imperfect, sometimes it is accurate from
one point of view, but can easily lead to incorrect conclusions, and
sometimes it is flat out wrong and won't work (my favorite current
example is the configuration for Outbound Route Filtering, it is
missing the reference to the prefix list, without which it does not
work). Cisco documentation on the web is a tremendous resource, but it
should only be taken as a guide for what the starting point for
configuration in a lab should be IMHO.

The best configuration example I have seen of voice vlan comes from
Maurilio Gorito's routing and switching practice lab book by Cisco
press. In practice lab 2, configurations are shown for connecting a
7960 that does trunking, and a 7905 that does not do trunking.

The port connecting to a 7960 is configured for trunking, and the port
connected to the 7905 is not. This is given on p96

3550 config for 7960 phone
int fa0/16
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 50
no ip address
duplex full
speed 100
spanning-tree portfast

3550 config for 7905 phone
int fa0/17
switchport access vlan 50
no ip address
duplex half
speed 10

The explanation is given as follows:

The 7960 has the capability to trunk to the 3550 as it has an on-board
3 port switch and can separate the voice and data traffic
appropriately.The 7905 phone only has 10 base T and needs manual
insertion in to the voice vlan. Ensure that the port connecting to the
7960 is configured as a trunk using dot1q and that the native vlan is
2.

If you also look at the Cisco Press book Cisco Catalyst QoS, by
Flanagan et al, on page 63 you see the following:

"Through the use of dot1q trunks, voice traffic from an IP phone
connected to an access port can reside on a separate VLAN and subnet.
The workstation attached to the Ip phone might still reside on the
access, or native VLAN........Subsequently, with the use of voice
VLANs, all traffic is tagged to and from the Cisco IP phone and
Catalyst switch."

Now one could argue that things like portfast are not needed for a
trunk mode in this configuration, and I would agree, but that is what
Maurilio gave in his book, and likely what they would be looking for on
the lab exam, which is the purpose of this list :)

I think there are at least two sources of confusion in this
documentation. First is that not all IP phones are created equal, some
do trunking and some don't. The other is a potential dual use of the
phrase access port. In some contexts it can mean a non trunnking port,
in others it can mean an ethernet port (which can be configured for
trunking or non-trunking).

Cheers

Chris

________________________________

From: Ed Lui [mailto:edwlui@gmail.com]
Sent: Saturday, June 25, 2005 12:27 AM
To: Chris Lewis (chrlewis)
Cc: John Matus; gladston@br.ibm.com; ccielab@groupstudy.com
Subject: Re: Voice VLAN - Access ports

Chris,

I have been struggling about 2 vlans on an access port for a while. I
know it works with either access port or trunk port let say with a
7960. What I understand is, an access port can not carry traffic for
more than 1 vlan. Somehow, the documentation told me voice vlan is an
exception. Then I labbed it up myself(3550 EMI + 7960). The result is
an access port can carry data on one vlan and voice on another within
the same access port. And that is what the documentation said, too.

Consider those underlined below. Portfast is for access port and not for
trunk port.

Voice VLAN Configuration Guidelines

These are the voice VLAN configuration guidelines:

* You should configure voice VLAN on switch access ports.
* Before you enable voice VLAN, we recommend that you enable QoS
on the switch by entering the mls qosglobal configuration command and
configure the port trust state to trust by entering the mls qos
trustcosinterface configuration command.
* The Port Fast feature is automatically enabled when voice VLAN
is configured. When you disable voice VLAN, the Port Fast feature is
not automatically disabled.

 Per your config :
Int fa0/16
Switch access vlan 2
Switch trunk encap dot1q<---to be removed----->
Switch trunk native vlan 2<---to be removed----->
Switch mode trunk<---to be removed----->
Switch voice vlan 50
switchport priority extend cos 0
mls qos trust cos < or "mls qos trust device cisco-phone" should also
work >

It works with those lines removed. But also WORKS WITH THOSE LINES. I am
so confuse about the configurations. Wish someone can explain the Pros
and Cons between the 2. Finally, I also have the same book you guys
have and understand it says trunk port configuration needs to be
included. On the other hand, documentation from cisco.com
<http://cisco.com> said access port.

:)
Ed Lui

On 6/24/05, Chris Lewis (chrlewis) <chrlewis@cisco.com
<mailto:chrlewis@cisco.com> > wrote:Hi,

John, that is correct, the 7960 uses trunking, the cheaper ones do not.

Ed, my question to you is if you are told to configure a switch port to

have voice traffic from the phone in vlan 50 and data traffic from a PC

attached to the phone in vlan 2, how can you do that without
configuring
trunking on the port? Clearly you would not want data traffic rom the
PC
in the same vlan as the voice traffic, otherwise it ceases to be a
voice
vlan :)

Chris

-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net <mailto:jmatus@pacbell.net>
]
Sent: Friday, June 24, 2005 9:32 PM
To: Ed Lui; Chris Lewis (chrlewis)
Cc: gladston@br.ibm.com <mailto:gladston@br.ibm.com> ;
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
Subject: Re: Voice VLAN - Access ports

my ciscopress lab book is in the car...........but....
i think it all depends on which type of phone you are using.

i believe that the cheapy phones actually use the "switch access vlan"
for their traffic and a more expensive one <if i can remember
correctly,
the 7960 phone??> uses trunking.

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net <mailto:jmatus@pacbell.net>
----- Original Message -----
From: "Ed Lui" <edwlui@gmail.com <mailto:edwlui@gmail.com> >
To: "Chris Lewis (chrlewis)" <chrlewis@cisco.com
<mailto:chrlewis@cisco.com> >
Cc: < gladston@br.ibm.com <mailto:gladston@br.ibm.com> >;
<ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> >
Sent: Friday, June 24, 2005 6:34 PM
Subject: Re: Voice VLAN - Access ports

> Chris,
> It doesn't sound like what I learned from the DocCD. According to the

> DocCD. Switch port connected to IPphone should be configured as
access

> port
> and NOT TRUNK. Take a look :
> Voice VLAN Configuration Guidelines
>
> These are the voice VLAN configuration guidelines:
>
> - You should configure voice VLAN on switch access ports.
> - Before you enable voice VLAN, we recommend that you enable QoS
on
> the switch by entering the mls qos global configuration command and

> configure the port trust state to trust by entering the mls qos
trust
> cos interface configuration command.
> - The Port Fast feature is automatically enabled when voice VLAN is

> configured. When you disable voice VLAN, the Port Fast feature is
not
> automatically disabled.
> - When you enable port security on an interface that is also
> configured with a voice VLAN, you must set the maximum allowed
secure
> addresses on the port to at least two.
> - If any type of port security is enabled on the access VLAN,
dynamic
> port security is automatically enabled on the voice VLAN.
> - You cannot configure static secure or sticky secure MAC addresses

on
> a voice VLAN.
> - Voice VLAN ports can also be these port types:
> - Dynamic access port. See the "Configuring Dynamic Access
Ports
> on VMPS Clients"
>
section<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
a1/35
> 50scg/swvlan.htm#94106>for
> more information.
> - Secure port. See the "Configuring Port Security"
>
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
a1/35
> 50scg/swtrafc.htm#86378>for
> more information.
> - 802.1X authenticated port. See the "Using 802.1X with Voice
> VLAN Ports"
>
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
a1/35
> 50scg/sw8021x.htm#50544>for
> more information.
> - Protected port. See the "Configuring Protected Ports"
>
section<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
a1/35
> 50scg/swtrafc.htm#56161>for
> more information
>
> HTH,
> Ed Lui
>
> On 6/24/05, Chris Lewis (chrlewis) < chrlewis@cisco.com
<mailto:chrlewis@cisco.com> > wrote:
>>
>> This is a config that I believe works to make vlan 50 the voice
vlan,
>> and vlan 2 to be the data vlan, then sets data from the PC to CoS 0
and
>> trusts CoS from the phone.
>>
>> Mls qos
>>
>> Vlan 50
>> Name voice vlan
>>
>> Int fa0/16
>> Switch access vlan 2
>> Switch trunk encap dot1q
>> Switch trunk native vlan 2
>> Switch mode trunk
>> Switch voice vlan 50
>> switchport priority extend cos 0
>> mls qos trust cos
>>
>> The switch access configuration in the interface defines what vlan
the
>> port belongs to if for some reason the port stops trunking. Voice
vlan
>> has to work on a trunk port for there to be traffic that are members

of
>> two vlans on it.
>>
>> It could be possible that the documentation you refer to is listing
a
>> restriction for configuring port security in addition to voice vlan,

>> although I don't know for sure.
>>
>> Chris
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On
Behalf
Of
>> gladston@br.ibm.com <mailto:gladston@br.ibm.com>
>> Sent: Wednesday, June 22, 2005 12:14 PM
>> To: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
>> Subject: Voice VLAN - Access ports
>>
>> Hi,
>>
>> Looking for Port security information I read this:
>>
>> "Voice VLAN is only supported on access ports and not on trunk
ports,
>> even though the configuration is allowed"
>>
>>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/s
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/
s>
>> wtrafc.htm#wp1038501
>>
>> Some time ago I was researching about this subject (if it would be
>> allowed to configure an interface connected to an IPPhone with
>> 'switchport mode trunk').
>> One of the answers was 'yes'.
>>
>> Do you know if an IPPhone only works if the port is configured as
access
>> port?
>> If yes, how does it work, considering the previous Cisco statement?
>>
>> Thanks for any feedback.
>>
>>

• Next message: George Cassels: "RE: using nssa and area X range together"
• Previous message: Chris Lewis \(chrlewis\): "RE: same subnet IPs used on 2 different interfaces"
• Maybe in reply to: gladston@br.ibm.com: "Voice VLAN - Access ports"
• Next in thread: Ed Lui: "Re: Voice VLAN - Access ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3