Re: Voice VLAN - Access ports

From: Ed Lui (edwlui@gmail.com)
Date: Mon Jun 27 2005 - 23:43:48 GMT-3

Gladston,

No doubt. There is NO ONE document can prove if it is correct or not. As I
mentioned in previous post. Access port carries traffic for more than 1 vlan
is not what most people learned. But this is what I found from cisco
documentation and not just one. I checked both 3550 and 6500(voice vlan=aux
vlan) configuration from cisco.com <http://cisco.com>. Plus I(myself)
actually labbed it up with 3550EMI+7960phone. Well, did I overlook
something? It is possible. I am not a Network Engineer but really want to
figure out the technology. So far, I know both trunk port and access port
work as well.

Actually, I keep thinking about the pros and cons for both. What is the
advantage, overhead...etc. Like Brian Dennis said in one of the online
seminars. I truly agree, understand the technology is the key point. Passing
the lab is important. I don't feel good to myself if I get a chance to hold
a number but don't know what myself is doing. Wish Chris Lewis can find out
for us.

:)
Ed Lui
P.S. Technology is changing every day. The standard is based upon the
creator. Who knows if one day access port can carry no more than 5 vlans. It
is all up to the creator.

On 6/27/05, gladston@br.ibm.com <gladston@br.ibm.com> wrote:
>
>
> Thanks for this invaluable feedback.
>
> Looking at Maurilio's book, page 96, as Chris pointed:
>
> Would you agree with the author statement "Ensure...that the native vlan
> is 2".
> As I see it, it is not necessary to configure native vlan (to have vlan 2
> for data and vlan 50 for voice). One could let the native vlan as default,
> configure the voice vlan to 50 and the data vlan to 2.
>
> Do you see any reason to configure native vlan to the same vlan as the
> data vlan? (my point is that as 7960 talks dot1q, it can tag data vlan to
> any value)
>
> Have you seen voice vlan configured on a access port? (I am asking this
> because on the last time I posted this subject - sorry to post it again, but
> it was not clear - a guy said it was possible). I argued: "How would the
> voice vlan be transported if there is no dot1Q?" (similar as Chris
> explained) and the guy answered that it was an exception.
> It is hard to understand when the hardware is not available to test :)
>
>
> Cordially
> ------------------------------------------------------------------
> Gladston
>
>
>
> *"Chris Lewis \(chrlewis\)" <chrlewis@cisco.com>*
>
> 25/06/2005 12:31
> To
> "Ed Lui" <edwlui@gmail.com> cc
> "John Matus" <jmatus@pacbell.net>, Alaerte Gladston
> Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com> Subject
> RE: Voice VLAN - Access ports
>
>
>
>
>
>
>
> Hi Ed,
>
> Thanks for the reply, this has been a valuable exchange for me, as it has
> made me rethink some things. However, please consider that Cisco
> documentation on the web is imperfect, sometimes it is accurate from one
> point of view, but can easily lead to incorrect conclusions, and sometimes
> it is flat out wrong and won't work (my favorite current example is the
> configuration for Outbound Route Filtering, it is missing the reference to
> the prefix list, without which it does not work). Cisco documentation on the
> web is a tremendous resource, but it should only be taken as a guide for
> what the starting point for configuration in a lab should be IMHO.
>
> The best configuration example I have seen of voice vlan comes from
> Maurilio Gorito's routing and switching practice lab book by Cisco press. In
> practice lab 2, configurations are shown for connecting a 7960 that does
> trunking, and a 7905 that does not do trunking.
>
> The port connecting to a 7960 is configured for trunking, and the port
> connected to the 7905 is not. This is given on p96
>
> 3550 config for 7960 phone
> int fa0/16
> switchport access vlan 2
> switchport trunk encapsulation dot1q
> switchport trunk native vlan 2
> switchport mode trunk
> switchport voice vlan 50
> no ip address
> duplex full
> speed 100
> spanning-tree portfast
>
> 3550 config for 7905 phone
> int fa0/17
> switchport access vlan 50
> no ip address
> duplex half
> speed 10
>
> The explanation is given as follows:
>
> The 7960 has the capability to trunk to the 3550 as it has an on-board 3
> port switch and can separate the voice and data traffic
appropriately.The7905 phone only has 10 base T and needs manual insertion in
to the voice
> vlan. Ensure that the port connecting to the 7960 is configured as a trunk
> using dot1q and that the native vlan is 2.
>
> If you also look at the Cisco Press book Cisco Catalyst QoS, by Flanagan
> et al, on page 63 you see the following:
>
> "Through the use of dot1q trunks, voice traffic from an IP phone connected
> to an access port can reside on a separate VLAN and subnet. The workstation
> attached to the Ip phone might still reside on the access, or native
> VLAN........Subsequently, with the use of voice VLANs, all traffic is tagged
> to and from the Cisco IP phone and Catalyst switch."
>
> Now one could argue that things like portfast are not needed for a trunk
> mode in this configuration, and I would agree, but that is what Maurilio
> gave in his book, and likely what they would be looking for on the lab exam,
> which is the purpose of this list :)
>
> I think there are at least two sources of confusion in this documentation.
> First is that not all IP phones are created equal, some do trunking and some
> don't. The other is a potential dual use of the phrase access port. In some
> contexts it can mean a non trunnking port, in others it can mean an ethernet
> port (which can be configured for trunking or non-trunking).
>
> Cheers
>
> Chris
> ------------------------------
>
>
> *From:* Ed Lui [mailto:edwlui@gmail.com]
> *Sent:* Saturday, June 25, 2005 12:27 AM
> *To:* Chris Lewis (chrlewis)
> *Cc:* John Matus; gladston@br.ibm.com; ccielab@groupstudy.com
> *Subject:* Re: Voice VLAN - Access ports
>
> Chris,
>
> I have been struggling about 2 vlans on an access port for a while. I know
> it works with either access port or trunk port let say with a 7960. What I
> understand is, an access port can not carry traffic for more than 1 vlan.
> Somehow, the documentation told me voice vlan is an exception. Then I labbed
> it up myself(3550 EMI + 7960). The result is an access port can carry data
> on one vlan and voice on another within the same access port. And that is
> what the documentation said, too.
>
> Consider those underlined below. Portfast is for access port and not for
> trunk port.
>
>
> *Voice VLAN Configuration Guidelines*
>
> These are the voice VLAN configuration guidelines:
>
> - *You should configure voice VLAN on switch access ports.*
> - Before you enable voice VLAN, we recommend that you enable QoS on
> the switch by entering the mls qosglobal configuration command and
configure
> the port trust state to trust by entering the mls qos trustcosinterface
> configuration command.
> - *The Port Fast feature is automatically enabled when voice VLAN is
> configured*. When you disable voice VLAN, the Port Fast feature is
> not automatically disabled.
>
>
> Per your config :
> Int fa0/16
> Switch access vlan 2
> Switch trunk encap dot1q<---to be removed----->
> Switch trunk native vlan 2<---to be removed----->
> Switch mode trunk<---to be removed----->
> Switch voice vlan 50
> switchport priority extend cos 0
> mls qos trust cos < or "mls qos trust device cisco-phone" should also work
> >
>
> It works with those lines removed. But also WORKS WITH THOSE LINES. I am
> so confuse about the configurations. Wish someone can explain the Pros and
> Cons between the 2. Finally, I also have the same book you guys have and
> understand it says trunk port configuration needs to be included. On the
> other hand, documentation from *cisco.com* <http://cisco.com> said access
> port.
>
> :)
> Ed Lui
>
>
>
>
>
>
> On 6/24/05, *Chris Lewis (chrlewis)*
<*chrlewis@cisco.com*<chrlewis@cisco.com>>
> wrote:Hi,
>
> John, that is correct, the 7960 uses trunking, the cheaper ones do not.
>
> Ed, my question to you is if you are told to configure a switch port to
> have voice traffic from the phone in vlan 50 and data traffic from a PC
> attached to the phone in vlan 2, how can you do that without configuring
> trunking on the port? Clearly you would not want data traffic rom the PC
> in the same vlan as the voice traffic, otherwise it ceases to be a voice
> vlan :)
>
> Chris
>
> -----Original Message-----
> From: John Matus [mailto:*jmatus@pacbell.net* <jmatus@pacbell.net> ]
> Sent: Friday, June 24, 2005 9:32 PM
> To: Ed Lui; Chris Lewis (chrlewis)
> Cc: *gladston@br.ibm.com* <gladston@br.ibm.com>;
*ccielab@groupstudy.com*<ccielab@groupstudy.com>
> Subject: Re: Voice VLAN - Access ports
>
> my ciscopress lab book is in the car...........but....
> i think it all depends on which type of phone you are using.
>
> i believe that the cheapy phones actually use the "switch access vlan"
> for their traffic and a more expensive one <if i can remember correctly,
> the 7960 phone??> uses trunking.
>
>
> Regards,
>
> John D. Matus
> MCSE, CCNP
> Office: 818-782-2061
> Cell: 818-430-8372
> *jmatus@pacbell.net* <jmatus@pacbell.net>
> ----- Original Message -----
> From: "Ed Lui" <*edwlui@gmail.com* <edwlui@gmail.com>>
> To: "Chris Lewis (chrlewis)" <*chrlewis@cisco.com* <chrlewis@cisco.com>>
> Cc: <* gladston@br.ibm.com* <gladston@br.ibm.com>>; <*
> ccielab@groupstudy.com* <ccielab@groupstudy.com>>
> Sent: Friday, June 24, 2005 6:34 PM
> Subject: Re: Voice VLAN - Access ports
>
>
> > Chris,
> > It doesn't sound like what I learned from the DocCD. According to the
> > DocCD. Switch port connected to IPphone should be configured as access
>
> > port
> > and NOT TRUNK. Take a look :
> > Voice VLAN Configuration Guidelines
> >
> > These are the voice VLAN configuration guidelines:
> >
> > - You should configure voice VLAN on switch access ports.
> > - Before you enable voice VLAN, we recommend that you enable QoS on
> > the switch by entering the mls qos global configuration command and
> > configure the port trust state to trust by entering the mls qos
> trust
> > cos interface configuration command.
> > - The Port Fast feature is automatically enabled when voice VLAN is
> > configured. When you disable voice VLAN, the Port Fast feature is
> not
> > automatically disabled.
> > - When you enable port security on an interface that is also
> > configured with a voice VLAN, you must set the maximum allowed
> secure
> > addresses on the port to at least two.
> > - If any type of port security is enabled on the access VLAN,
> dynamic
> > port security is automatically enabled on the voice VLAN.
> > - You cannot configure static secure or sticky secure MAC addresses
> on
> > a voice VLAN.
> > - Voice VLAN ports can also be these port types:
> > - Dynamic access port. See the "Configuring Dynamic Access Ports
> > on VMPS Clients"
> >
> section< *http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> * <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
> a1/35
> > 50scg/swvlan.htm#94106>for
> > more information.
> > - Secure port. See the "Configuring Port Security"
> >
>
section<*http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e*
tp://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
> a1/35
> > 50scg/swtrafc.htm#86378>for
> > more information.
> > - 802.1X authenticated port. See the "Using 802.1X with Voice
> > VLAN Ports"
> >
> section<*http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> * <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
> a1/35
> > 50scg/sw8021x.htm#50544>for
> > more information.
> > - Protected port. See the "Configuring Protected Ports"
> >
> section<* http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> * <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
> a1/35
> > 50scg/swtrafc.htm#56161>for
> > more information
> >
> > HTH,
> > Ed Lui
> >
> > On 6/24/05, Chris Lewis (chrlewis) <
*chrlewis@cisco.com*<chrlewis@cisco.com>>
> wrote:
> >>
> >> This is a config that I believe works to make vlan 50 the voice vlan,
> >> and vlan 2 to be the data vlan, then sets data from the PC to CoS 0
> and
> >> trusts CoS from the phone.
> >>
> >> Mls qos
> >>
> >> Vlan 50
> >> Name voice vlan
> >>
> >> Int fa0/16
> >> Switch access vlan 2
> >> Switch trunk encap dot1q
> >> Switch trunk native vlan 2
> >> Switch mode trunk
> >> Switch voice vlan 50
> >> switchport priority extend cos 0
> >> mls qos trust cos
> >>
> >> The switch access configuration in the interface defines what vlan
> the
> >> port belongs to if for some reason the port stops trunking. Voice
> vlan
> >> has to work on a trunk port for there to be traffic that are members
> of
> >> two vlans on it.
> >>
> >> It could be possible that the documentation you refer to is listing a
> >> restriction for configuring port security in addition to voice vlan,
> >> although I don't know for sure.
> >>
> >> Chris
> >>
> >> -----Original Message-----
> >> From: *nobody@groupstudy.com* <nobody@groupstudy.com> [mailto:*
> nobody@groupstudy.com* <nobody@groupstudy.com> ] On Behalf
> Of
> >> *gladston@br.ibm.com* <gladston@br.ibm.com>
> >> Sent: Wednesday, June 22, 2005 12:14 PM
> >> To: *ccielab@groupstudy.com * <ccielab@groupstudy.com>
> >> Subject: Voice VLAN - Access ports
> >>
> >> Hi,
> >>
> >> Looking for Port security information I read this:
> >>
> >> "Voice VLAN is only supported on access ports and not on trunk ports,
> >> even though the configuration is allowed"
> >>
> >>
> *http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/s
> *<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/s>
> >> wtrafc.htm#wp1038501
> >>
> >> Some time ago I was researching about this subject (if it would be
> >> allowed to configure an interface connected to an IPPhone with
> >> 'switchport mode trunk').
> >> One of the answers was 'yes'.
> >>
> >> Do you know if an IPPhone only works if the port is configured as
> access
> >> port?
> >> If yes, how does it work, considering the previous Cisco statement?
> >>
> >> Thanks for any feedback.
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >>
*http://www.groupstudy.com/list/CCIELab.html*
CCIELab.html>
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >>
*http://www.groupstudy.com/list/CCIELab.html*
CCIELab.html>
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> >
*http://www.groupstudy.com/list/CCIELab.html*
CCIELab.html>

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3