From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Sat Jun 25 2005 - 12:31:34 GMT-3
Hi Ed,
Thanks for the reply, this has been a valuable exchange for me, as it
has made me rethink some things. However, please consider that Cisco
documentation on the web is imperfect, sometimes it is accurate from one
point of view, but can easily lead to incorrect conclusions, and
sometimes it is flat out wrong and won't work (my favorite current
example is the configuration for Outbound Route Filtering, it is missing
the reference to the prefix list, without which it does not work). Cisco
documentation on the web is a tremendous resource, but it should only be
taken as a guide for what the starting point for configuration in a lab
should be IMHO.
The best configuration example I have seen of voice vlan comes from
Maurilio Gorito's routing and switching practice lab book by Cisco
press. In practice lab 2, configurations are shown for connecting a
7960 that does trunking, and a 7905 that does not do trunking.
The port connecting to a 7960 is configured for trunking, and the port
connected to the 7905 is not. This is given on p96
3550 config for 7960 phone
int fa0/16
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 50
no ip address
duplex full
speed 100
spanning-tree portfast
3550 config for 7905 phone
int fa0/17
switchport access vlan 50
no ip address
duplex half
speed 10
The explanation is given as follows:
The 7960 has the capability to trunk to the 3550 as it has an on-board 3
port switch and can separate the voice and data traffic
appropriately.The 7905 phone only has 10 base T and needs manual
insertion in to the voice vlan. Ensure that the port connecting to the
7960 is configured as a trunk using dot1q and that the native vlan is 2.
If you also look at the Cisco Press book Cisco Catalyst QoS, by Flanagan
et al, on page 63 you see the following:
"Through the use of dot1q trunks, voice traffic from an IP phone
connected to an access port can reside on a separate VLAN and subnet.
The workstation attached to the Ip phone might still reside on the
access, or native VLAN........Subsequently, with the use of voice VLANs,
all traffic is tagged to and from the Cisco IP phone and Catalyst
switch."
Now one could argue that things like portfast are not needed for a trunk
mode in this configuration, and I would agree, but that is what Maurilio
gave in his book, and likely what they would be looking for on the lab
exam, which is the purpose of this list :)
I think there are at least two sources of confusion in this
documentation. First is that not all IP phones are created equal, some
do trunking and some don't. The other is a potential dual use of the
phrase access port. In some contexts it can mean a non trunnking port,
in others it can mean an ethernet port (which can be configured for
trunking or non-trunking).
Cheers
Chris
________________________________
From: Ed Lui [mailto:edwlui@gmail.com]
Sent: Saturday, June 25, 2005 12:27 AM
To: Chris Lewis (chrlewis)
Cc: John Matus; gladston@br.ibm.com; ccielab@groupstudy.com
Subject: Re: Voice VLAN - Access ports
Chris,
I have been struggling about 2 vlans on an access port for a while. I
know it works with either access port or trunk port let say with a 7960.
What I understand is, an access port can not carry traffic for more than
1 vlan. Somehow, the documentation told me voice vlan is an exception.
Then I labbed it up myself(3550 EMI + 7960). The result is an access
port can carry data on one vlan and voice on another within the same
access port. And that is what the documentation said, too.
Consider those underlined below. Portfast is for access port and not for
trunk port.
Voice VLAN Configuration Guidelines
These are the voice VLAN configuration guidelines:
* You should configure voice VLAN on switch access ports.
* Before you enable voice VLAN, we recommend that you enable QoS
on the switch by entering the mls qos global configuration command and
configure the port trust state to trust by entering the mls qos trust
cos interface configuration command.
* The Port Fast feature is automatically enabled when voice VLAN
is configured. When you disable voice VLAN, the Port Fast feature is not
automatically disabled.
Per your config :
Int fa0/16
Switch access vlan 2
Switch trunk encap dot1q<---to be removed----->
Switch trunk native vlan 2<---to be removed----->
Switch mode trunk<---to be removed----->
Switch voice vlan 50
switchport priority extend cos 0
mls qos trust cos < or "mls qos trust device cisco-phone" should also
work >
It works with those lines removed. But also WORKS WITH THOSE LINES. I am
so confuse about the configurations. Wish someone can explain the Pros
and Cons between the 2. Finally, I also have the same book you guys have
and understand it says trunk port configuration needs to be included. On
the other hand, documentation from cisco.com said access port.
:)
Ed Lui
On 6/24/05, Chris Lewis (chrlewis) <chrlewis@cisco.com> wrote:
Hi,
John, that is correct, the 7960 uses trunking, the cheaper ones
do not.
Ed, my question to you is if you are told to configure a switch
port to
have voice traffic from the phone in vlan 50 and data traffic
from a PC
attached to the phone in vlan 2, how can you do that without
configuring
trunking on the port? Clearly you would not want data traffic
rom the PC
in the same vlan as the voice traffic, otherwise it ceases to be
a voice
vlan :)
Chris
-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net ]
Sent: Friday, June 24, 2005 9:32 PM
To: Ed Lui; Chris Lewis (chrlewis)
Cc: gladston@br.ibm.com; ccielab@groupstudy.com
Subject: Re: Voice VLAN - Access ports
my ciscopress lab book is in the car...........but....
i think it all depends on which type of phone you are using.
i believe that the cheapy phones actually use the "switch access
vlan"
for their traffic and a more expensive one <if i can remember
correctly,
the 7960 phone??> uses trunking.
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Ed Lui" <edwlui@gmail.com>
To: "Chris Lewis (chrlewis)" <chrlewis@cisco.com>
Cc: < gladston@br.ibm.com <mailto:gladston@br.ibm.com> >;
<ccielab@groupstudy.com>
Sent: Friday, June 24, 2005 6:34 PM
Subject: Re: Voice VLAN - Access ports
> Chris,
> It doesn't sound like what I learned from the DocCD. According
to the
> DocCD. Switch port connected to IPphone should be configured
as access
> port
> and NOT TRUNK. Take a look :
> Voice VLAN Configuration Guidelines
>
> These are the voice VLAN configuration guidelines:
>
> - You should configure voice VLAN on switch access ports.
> - Before you enable voice VLAN, we recommend that you enable
QoS on
> the switch by entering the mls qos global configuration
command and
> configure the port trust state to trust by entering the mls
qos
trust
> cos interface configuration command.
> - The Port Fast feature is automatically enabled when voice
VLAN is
> configured. When you disable voice VLAN, the Port Fast
feature is
not
> automatically disabled.
> - When you enable port security on an interface that is also
> configured with a voice VLAN, you must set the maximum
allowed
secure
> addresses on the port to at least two.
> - If any type of port security is enabled on the access
VLAN,
dynamic
> port security is automatically enabled on the voice VLAN.
> - You cannot configure static secure or sticky secure MAC
addresses
on
> a voice VLAN.
> - Voice VLAN ports can also be these port types:
> - Dynamic access port. See the "Configuring Dynamic
Access Ports
> on VMPS Clients"
>
section<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
a1/35
> 50scg/swvlan.htm#94106>for
> more information.
> - Secure port. See the "Configuring Port Security"
>
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
a1/35
> 50scg/swtrafc.htm#86378>for
> more information.
> - 802.1X authenticated port. See the "Using 802.1X with
Voice
> VLAN Ports"
>
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
a1/35
> 50scg/sw8021x.htm#50544>for
> more information.
> - Protected port. See the "Configuring Protected Ports"
>
section<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
a1/35
> 50scg/swtrafc.htm#56161>for
> more information
>
> HTH,
> Ed Lui
>
> On 6/24/05, Chris Lewis (chrlewis) < chrlewis@cisco.com>
wrote:
>>
>> This is a config that I believe works to make vlan 50 the
voice vlan,
>> and vlan 2 to be the data vlan, then sets data from the PC to
CoS 0
and
>> trusts CoS from the phone.
>>
>> Mls qos
>>
>> Vlan 50
>> Name voice vlan
>>
>> Int fa0/16
>> Switch access vlan 2
>> Switch trunk encap dot1q
>> Switch trunk native vlan 2
>> Switch mode trunk
>> Switch voice vlan 50
>> switchport priority extend cos 0
>> mls qos trust cos
>>
>> The switch access configuration in the interface defines what
vlan
the
>> port belongs to if for some reason the port stops trunking.
Voice
vlan
>> has to work on a trunk port for there to be traffic that are
members
of
>> two vlans on it.
>>
>> It could be possible that the documentation you refer to is
listing a
>> restriction for configuring port security in addition to
voice vlan,
>> although I don't know for sure.
>>
>> Chris
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ]
On Behalf
Of
>> gladston@br.ibm.com
>> Sent: Wednesday, June 22, 2005 12:14 PM
>> To: ccielab@groupstudy.com
>> Subject: Voice VLAN - Access ports
>>
>> Hi,
>>
>> Looking for Port security information I read this:
>>
>> "Voice VLAN is only supported on access ports and not on
trunk ports,
>> even though the configuration is allowed"
>>
>>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/s
>> wtrafc.htm#wp1038501
>>
>> Some time ago I was researching about this subject (if it
would be
>> allowed to configure an interface connected to an IPPhone
with
>> 'switchport mode trunk').
>> One of the answers was 'yes'.
>>
>> Do you know if an IPPhone only works if the port is
configured as
access
>> port?
>> If yes, how does it work, considering the previous Cisco
statement?
>>
>> Thanks for any feedback.
>>
>>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3