From: Ed Lui (edwlui@gmail.com)
Date: Tue Jun 28 2005 - 02:28:26 GMT-3
Larry,
Forget my last post. I was thinking it in a different way. I think the
reason why you put "allowed vlan" is to stop traffic from other vlan going
to the phone port since it is configured as trunk. Looks like there is no
benefit to configure it as trunk port. Because the access port(still trunk)
configuration don't even have to deal with other vlans coming into the port.
Agree ?
Thanks,
Ed Lui
On 6/27/05, Ed Lui <edwlui@gmail.com> wrote:
>
> Larry,
>
> Thanks ! it is much more clear now. But I am thinking, since you have the
> trunk port configuration + allowed vlan(s) across the trunk. My question is
> :
>
> 1. A trunk link can be connected to the phone's PC port with trunk
> configuration on the switch port ?
> 2. With just the access mode configuration(without any trunk
> configuration), no vlan(s) will be allowed other than the voice vlan and
> access vlan ? Is it the difference between the trunk configuration and
> access port configuration ?
>
> Ed Lui
>
> On 6/27/05, Larry Letterman (lletterm) <lletterm@cisco.com> wrote:
> >
> >
> > Ed,
> >
> > This is one of our switches using the trunk method...
> >
> >
> > interface FastEthernet0/4
> > switchport trunk encapsulation dot1q
> > switchport trunk native vlan 152
> > switchport trunk allowed vlan 1,152,155,1002-1005
> > switchport mode trunk
> > switchport voice vlan 155
> > no ip address
> > spanning-tree portfast
> > !
> >
> >
> > ##################################
> > Larry Letterman
> > Cisco Systems Inc.
> > ##################################
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Larry Letterman (lletterm)
> > Sent: Monday, June 27, 2005 10:51 PM
> > To: Ed Lui
> > Cc: gladston@br.ibm.com; Chris Lewis (chrlewis); ccielab@groupstudy.com;
> > John Matus
> > Subject: RE: Voice VLAN - Access ports
> >
> > when we introduced the ip voice platform, they came up with the aux vlan
> > command..
> > plain and simple, it allows the ethernet port to carry 2 vlans, which is
> > just a trunk port in disguise...to my knowledge you cannot carry more
> > than 1 vlan across ethernet ports without trunking the port somehow...
> >
> > The ios based switches, c3550 and C6500, can either trunk the vlans or
> > use access switchport settings and voice vlan commands...in my networks,
> >
> > I use the switchport access and voice vlan for my ios based telephony
> > switches...
> >
> > the difference is that access ports are for carrying 1 vlan or subnet
> > data and trunk ports are for carrying two or more vlans /subnets on that
> >
> > port...
> >
> >
> > ##################################
> > Larry Letterman
> > Cisco Systems Inc.
> > ##################################
> >
> >
> > ________________________________
> >
> > From: Ed Lui [mailto: edwlui@gmail.com]
> > Sent: Monday, June 27, 2005 10:35 PM
> > To: Larry Letterman (lletterm)
> > Cc: gladston@br.ibm.com; Chris Lewis (chrlewis); ccielab@groupstudy.com;
> > John Matus
> > Subject: Re: Voice VLAN - Access ports
> >
> >
> > Thanks Larry. Any idea what is the difference between the trunk and
> > access ?
> >
> >
> > On 6/27/05, Larry Letterman (lletterm) < lletterm@cisco.com
> > <mailto:lletterm@cisco.com> > wrote:
> >
> > It works either way...
> >
> > The ios command for voice vlan does the same thing that
> > Aux vlans does for catos...
> >
> > Or you can use the trunk command in ios switches to trunk more
> > Than one vlan....
> >
> >
> >
> >
> >
> > ##################################
> > Larry Letterman
> > Cisco Systems Inc.
> > ##################################
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On
> > Behalf Of
> > Ed Lui
> > Sent: Monday, June 27, 2005 9:44 PM
> > To: gladston@br.ibm.com
> > Cc: Chris Lewis (chrlewis); ccielab@groupstudy.com; John Matus
> > Subject: Re: Voice VLAN - Access ports
> >
> > Gladston,
> >
> > No doubt. There is NO ONE document can prove if it is correct or
> > not. As
> > I mentioned in previous post. Access port carries traffic for
> > more than
> > 1 vlan is not what most people learned. But this is what I found
> > from
> > cisco documentation and not just one. I checked both 3550 and
> > 6500(voice
> > vlan=aux
> > vlan) configuration from cisco.com <http://cisco.com> <http://cisco.com>.
> > Plus
> > I(myself)
> > actually labbed it up with 3550EMI+7960phone. Well, did I
> > overlook
> > something? It is possible. I am not a Network Engineer but
> > really want
> > to figure out the technology. So far, I know both trunk port and
> > access
> > port work as well.
> >
> > Actually, I keep thinking about the pros and cons for both. What
> > is the
> > advantage, overhead...etc. Like Brian Dennis said in one of the
> > online
> > seminars. I truly agree, understand the technology is the key
> > point.
> > Passing the lab is important. I don't feel good to myself if I
> > get a
> > chance to hold a number but don't know what myself is doing.
> > Wish Chris
> > Lewis can find out for us.
> >
> > :)
> > Ed Lui
> > P.S. Technology is changing every day. The standard is based
> > upon the
> > creator. Who knows if one day access port can carry no more than
> > 5
> > vlans. It is all up to the creator.
> >
> >
> >
> > On 6/27/05, gladston@br.ibm.com < gladston@br.ibm.com
> > <mailto:gladston@br.ibm.com > > wrote:
> > >
> > >
> > > Thanks for this invaluable feedback.
> > >
> > > Looking at Maurilio's book, page 96, as Chris pointed:
> > >
> > > Would you agree with the author statement "Ensure...that the
> > native
> > > vlan is 2".
> > > As I see it, it is not necessary to configure native vlan (to
> > have
> > > vlan 2 for data and vlan 50 for voice). One could let the
> > native vlan
> > > as default, configure the voice vlan to 50 and the data vlan
> > to 2.
> > >
> > > Do you see any reason to configure native vlan to the same
> > vlan as the
> >
> > > data vlan? (my point is that as 7960 talks dot1q, it can tag
> > data vlan
> >
> > > to any value)
> > >
> > > Have you seen voice vlan configured on a access port? (I am
> > asking
> > > this because on the last time I posted this subject - sorry to
> > post it
> >
> > > again, but it was not clear - a guy said it was possible). I
> > argued:
> > > "How would the voice vlan be transported if there is no
> > dot1Q?"
> > > (similar as Chris
> > > explained) and the guy answered that it was an exception.
> > > It is hard to understand when the hardware is not available to
> > test :)
> > >
> > >
> > > Cordially
> > >
> > ------------------------------------------------------------------
> > > Gladston
> > >
> > >
> > >
> > > *"Chris Lewis \(chrlewis\)" < chrlewis@cisco.com>*
> > >
> > > 25/06/2005 12:31
> > > To
> > > "Ed Lui" < edwlui@gmail.com> cc
> > > "John Matus" < jmatus@pacbell.net>, Alaerte Gladston
> > > Vidali/Brazil/IBM@IBMBR, < ccielab@groupstudy.com
> > <mailto: ccielab@groupstudy.com> > Subject
> > > RE: Voice VLAN - Access ports
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hi Ed,
> > >
> > > Thanks for the reply, this has been a valuable exchange for
> > me, as it
> > > has made me rethink some things. However, please consider that
> > Cisco
> > > documentation on the web is imperfect, sometimes it is
> > accurate from
> > > one point of view, but can easily lead to incorrect
> > conclusions, and
> > > sometimes it is flat out wrong and won't work (my favorite
> > current
> > > example is the configuration for Outbound Route Filtering, it
> > is
> > > missing the reference to the prefix list, without which it
> > does not
> > > work). Cisco documentation on the web is a tremendous
> > resource, but it
> >
> > > should only be taken as a guide for what the starting point
> > for
> > configuration in a lab should be IMHO.
> > >
> > > The best configuration example I have seen of voice vlan comes
> > from
> > > Maurilio Gorito's routing and switching practice lab book by
> > Cisco
> > > press. In practice lab 2, configurations are shown for
> > connecting a
> > > 7960 that does trunking, and a 7905 that does not do trunking.
> >
> > >
> > > The port connecting to a 7960 is configured for trunking, and
> > the port
> >
> > > connected to the 7905 is not. This is given on p96
> > >
> > > 3550 config for 7960 phone
> > > int fa0/16
> > > switchport access vlan 2
> > > switchport trunk encapsulation dot1q
> > > switchport trunk native vlan 2
> > > switchport mode trunk
> > > switchport voice vlan 50
> > > no ip address
> > > duplex full
> > > speed 100
> > > spanning-tree portfast
> > >
> > > 3550 config for 7905 phone
> > > int fa0/17
> > > switchport access vlan 50
> > > no ip address
> > > duplex half
> > > speed 10
> > >
> > > The explanation is given as follows:
> > >
> > > The 7960 has the capability to trunk to the 3550 as it has an
> > on-board
> >
> > > 3 port switch and can separate the voice and data traffic
> > appropriately.The7905 phone only has 10 base T and needs manual
> > insertion in to the voice
> > > vlan. Ensure that the port connecting to the 7960 is
> > configured as a
> > > trunk using dot1q and that the native vlan is 2.
> > >
> > > If you also look at the Cisco Press book Cisco Catalyst QoS,
> > by
> > > Flanagan et al, on page 63 you see the following:
> > >
> > > "Through the use of dot1q trunks, voice traffic from an IP
> > phone
> > > connected to an access port can reside on a separate VLAN and
> > subnet.
> > > The workstation attached to the Ip phone might still reside on
> > the
> > > access, or native VLAN........Subsequently, with the use of
> > voice
> > > VLANs, all traffic is tagged to and from the Cisco IP phone
> > and
> > Catalyst switch."
> > >
> > > Now one could argue that things like portfast are not needed
> > for a
> > > trunk mode in this configuration, and I would agree, but that
> > is what
> > > Maurilio gave in his book, and likely what they would be
> > looking for
> > > on the lab exam, which is the purpose of this list :)
> > >
> > > I think there are at least two sources of confusion in this
> > documentation.
> > > First is that not all IP phones are created equal, some do
> > trunking
> > > and some don't. The other is a potential dual use of the
> > phrase access
> >
> > > port. In some contexts it can mean a non trunnking port, in
> > others it
> > > can mean an ethernet port (which can be configured for
> > trunking or
> > non-trunking).
> > >
> > > Cheers
> > >
> > > Chris
> > > ------------------------------
> > >
> > >
> > > *From:* Ed Lui [mailto: edwlui@gmail.com]
> > > *Sent:* Saturday, June 25, 2005 12:27 AM
> > > *To:* Chris Lewis (chrlewis)
> > > *Cc:* John Matus; gladston@br.ibm.com ; ccielab@groupstudy.com
> > > *Subject:* Re: Voice VLAN - Access ports
> > >
> > > Chris,
> > >
> > > I have been struggling about 2 vlans on an access port for a
> > while. I
> > > know it works with either access port or trunk port let say
> > with a
> > > 7960. What I understand is, an access port can not carry
> > traffic for
> > more than 1 vlan.
> > > Somehow, the documentation told me voice vlan is an exception.
> > Then I
> > > labbed it up myself(3550 EMI + 7960). The result is an access
> > port can
> >
> > > carry data on one vlan and voice on another within the same
> > access
> > > port. And that is what the documentation said, too.
> > >
> > > Consider those underlined below. Portfast is for access port
> > and not
> > > for trunk port.
> > >
> > >
> > > *Voice VLAN Configuration Guidelines*
> > >
> > > These are the voice VLAN configuration guidelines:
> > >
> > > - *You should configure voice VLAN on switch access ports.*
> > > - Before you enable voice VLAN, we recommend that you
> > enable QoS on
> > > the switch by entering the mls qosglobal configuration
> > command and
> > configure
> > > the port trust state to trust by entering the mls qos
> > trustcosinterface
> > > configuration command.
> > > - *The Port Fast feature is automatically enabled when
> > voice VLAN
> > is
> > > configured*. When you disable voice VLAN, the Port Fast
> > feature is
> > > not automatically disabled.
> > >
> > >
> > > Per your config :
> > > Int fa0/16
> > > Switch access vlan 2
> > > Switch trunk encap dot1q<---to be removed-----> Switch trunk
> > native
> > > vlan 2<---to be removed-----> Switch mode trunk<---to be
> > removed----->
> >
> > > Switch voice vlan 50 switchport priority extend cos 0 mls qos
> > trust
> > > cos < or "mls qos trust device cisco-phone" should also work
> > > >
> > >
> > > It works with those lines removed. But also WORKS WITH THOSE
> > LINES. I
> > > am so confuse about the configurations. Wish someone can
> > explain the
> > > Pros and Cons between the 2. Finally, I also have the same
> > book you
> > > guys have and understand it says trunk port configuration
> > needs to be
> > > included. On the other hand, documentation from *cisco.com*
> > > <http://cisco.com> said access port.
> > >
> > > :)
> > > Ed Lui
> > >
> > >
> > >
> > >
> > >
> > >
> > > On 6/24/05, *Chris Lewis (chrlewis)*
> > <*chrlewis@cisco.com*< chrlewis@cisco.com>>
> > > wrote:Hi,
> > >
> > > John, that is correct, the 7960 uses trunking, the cheaper
> > ones do
> > not.
> > >
> > > Ed, my question to you is if you are told to configure a
> > switch port
> > > to have voice traffic from the phone in vlan 50 and data
> > traffic from
> > > a PC attached to the phone in vlan 2, how can you do that
> > without
> > > configuring trunking on the port? Clearly you would not want
> > data
> > > traffic rom the PC in the same vlan as the voice traffic,
> > otherwise it
> >
> > > ceases to be a voice vlan :)
> > >
> > > Chris
> > >
> > > -----Original Message-----
> > > From: John Matus [mailto:*jmatus@pacbell.net*
> > <jmatus@pacbell.net> ]
> > > Sent: Friday, June 24, 2005 9:32 PM
> > > To: Ed Lui; Chris Lewis (chrlewis)
> > > Cc: *gladston@br.ibm.com* <gladston@br.ibm.com>;
> > *ccielab@groupstudy.com*<ccielab@groupstudy.com>
> > > Subject: Re: Voice VLAN - Access ports
> > >
> > > my ciscopress lab book is in the car...........but....
> > > i think it all depends on which type of phone you are using.
> > >
> > > i believe that the cheapy phones actually use the "switch
> > access vlan"
> > > for their traffic and a more expensive one <if i can remember
> > > correctly, the 7960 phone??> uses trunking.
> > >
> > >
> > > Regards,
> > >
> > > John D. Matus
> > > MCSE, CCNP
> > > Office: 818-782-2061
> > > Cell: 818-430-8372
> > > *jmatus@pacbell.net * <jmatus@pacbell.net>
> > > ----- Original Message -----
> > > From: "Ed Lui" <*edwlui@gmail.com* < edwlui@gmail.com >>
> > > To: "Chris Lewis (chrlewis)" <*chrlewis@cisco.com*
> > > <chrlewis@cisco.com>>
> > > Cc: <* gladston@br.ibm.com * <gladston@br.ibm.com>>; <*
> > > ccielab@groupstudy.com* <ccielab@groupstudy.com>>
> > > Sent: Friday, June 24, 2005 6:34 PM
> > > Subject: Re: Voice VLAN - Access ports
> > >
> > >
> > > > Chris,
> > > > It doesn't sound like what I learned from the DocCD.
> > According to
> > > > the DocCD. Switch port connected to IPphone should be
> > configured as
> > > > access
> > >
> > > > port
> > > > and NOT TRUNK. Take a look :
> > > > Voice VLAN Configuration Guidelines
> > > >
> > > > These are the voice VLAN configuration guidelines:
> > > >
> > > > - You should configure voice VLAN on switch access ports.
> > > > - Before you enable voice VLAN, we recommend that you enable
> > QoS on
> > > > the switch by entering the mls qos global configuration
> > command and
> > > > configure the port trust state to trust by entering the mls
> > qos
> > > trust
> > > > cos interface configuration command.
> > > > - The Port Fast feature is automatically enabled when voice
> > VLAN is
> > > > configured. When you disable voice VLAN, the Port Fast
> > feature is
> > > not
> > > > automatically disabled.
> > > > - When you enable port security on an interface that is also
> > > > configured with a voice VLAN, you must set the maximum
> > allowed
> > > secure
> > > > addresses on the port to at least two.
> > > > - If any type of port security is enabled on the access
> > VLAN,
> > > dynamic
> > > > port security is automatically enabled on the voice VLAN.
> > > > - You cannot configure static secure or sticky secure MAC
> > addresses
> > > on
> > > > a voice VLAN.
> > > > - Voice VLAN ports can also be these port types:
> > > > - Dynamic access port. See the "Configuring Dynamic Access
> > Ports on
> > > > VMPS Clients"
> > > >
> > > section<
> > >
> > *http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> > > *
> > <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e>
> > > a1/35
> > > > 50scg/swvlan.htm#94106>for
> > > > more information.
> > > > - Secure port. See the "Configuring Port Security"
> > > >
> > >
> >
> > section<*http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114
> >
> > e*<ht
> > tp://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> > > a1/35
> > > > 50scg/swtrafc.htm#86378>for
> > > > more information.
> > > > - 802.1X authenticated port. See the "Using 802.1X with
> > Voice VLAN
> > > > Ports"
> > > >
> > > section<*
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/121
> > <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/121>
> > > 14e
> > > *
> > < http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> > > a1/35
> > > > 50scg/sw8021x.htm#50544>for
> > > > more information.
> > > > - Protected port. See the "Configuring Protected Ports"
> > > >
> > > section<*
> > >
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> > > *
> > <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> > > a1/35
> > > > 50scg/swtrafc.htm#56161>for
> > > > more information
> > > >
> > > > HTH,
> > > > Ed Lui
> > > >
> > > > On 6/24/05, Chris Lewis (chrlewis) <
> > * chrlewis@cisco.com *<chrlewis@cisco.com>>
> > > wrote:
> > > >>
> > > >> This is a config that I believe works to make vlan 50 the
> > voice
> > > >> vlan, and vlan 2 to be the data vlan, then sets data from
> > the PC to
> >
> > > >> CoS 0
> > > and
> > > >> trusts CoS from the phone.
> > > >>
> > > >> Mls qos
> > > >>
> > > >> Vlan 50
> > > >> Name voice vlan
> > > >>
> > > >> Int fa0/16
> > > >> Switch access vlan 2
> > > >> Switch trunk encap dot1q
> > > >> Switch trunk native vlan 2
> > > >> Switch mode trunk
> > > >> Switch voice vlan 50
> > > >> switchport priority extend cos 0
> > > >> mls qos trust cos
> > > >>
> > > >> The switch access configuration in the interface defines
> > what vlan
> > > the
> > > >> port belongs to if for some reason the port stops trunking.
> > Voice
> > > vlan
> > > >> has to work on a trunk port for there to be traffic that
> > are
> > > >> members
> > > of
> > > >> two vlans on it.
> > > >>
> > > >> It could be possible that the documentation you refer to is
> > listing
> >
> > > >> a restriction for configuring port security in addition to
> > voice
> > > >> vlan, although I don't know for sure.
> > > >>
> > > >> Chris
> > > >>
> > > >> -----Original Message-----
> > > >> From: *nobody@groupstudy.com* < nobody@groupstudy.com>
> > [mailto:*
> > > nobody@groupstudy.com* <nobody@groupstudy.com > ] On Behalf Of
> > > >> *gladston@br.ibm.com* < gladston@br.ibm.com>
> > > >> Sent: Wednesday, June 22, 2005 12:14 PM
> > > >> To: * ccielab@groupstudy.com
> > <mailto:ccielab@groupstudy.com> * <ccielab@groupstudy.com>
> > > >> Subject: Voice VLAN - Access ports
> > > >>
> > > >> Hi,
> > > >>
> > > >> Looking for Port security information I read this:
> > > >>
> > > >> "Voice VLAN is only supported on access ports and not on
> > trunk
> > > >> ports, even though the configuration is allowed"
> > > >>
> > > >>
> > > *
> > http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/sc
> > <http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/sc >
> > > g/s
> > >
> > *<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/s
> > > cg/s>
> > > >> wtrafc.htm#wp1038501
> > > >>
> > > >> Some time ago I was researching about this subject (if it
> > would be
> > > >> allowed to configure an interface connected to an IPPhone
> > with
> > > >> 'switchport mode trunk').
> > > >> One of the answers was 'yes'.
> > > >>
> > > >> Do you know if an IPPhone only works if the port is
> > configured as
> > > access
> > > >> port?
> > > >> If yes, how does it work, considering the previous Cisco
> > statement?
> > > >>
> > > >> Thanks for any feedback.
> > > >>
> > > >>
> > >
> > ______________________________________________________________________
> > > _
> > > >> Subscription information may be found at:
> > > >>
> > *http://www.groupstudy.com/list/CCIELab.html*<
> > http://www.groupstudy.com/ < http://www.groupstudy.com/>
> > list/
> > CCIELab.html>
> > > >>
> > > >>
> > >
> > ______________________________________________________________________
> > > _
> > > >> Subscription information may be found at:
> > > >>
> >
> > *http://www.groupstudy.com/list/CCIELab.html* <
> > http://www.groupstudy.com/
> > list/
> > CCIELab.html >
> > > >
> > > >
> > >
> > ______________________________________________________________________
> > > _
> > > > Subscription information may be found at:
> > > >
> > * http://www.groupstudy.com/list/CCIELab.html*
> > <http://www.groupstudy.com/list/CCIELab.html*>
> > <http://www.groupstudy.com/
> > list/
> > CCIELab.html >
> >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:45 GMT-3