From: Larry Letterman \(lletterm\) (lletterm@cisco.com)
Date: Tue Jun 28 2005 - 02:54:47 GMT-3
Ed,
I use the 'allowed vlans ' command because I only want vlan 151 for data
and vlan 152 for voice..
I dont need other vlans on the port, so I use the 'allow vlans' to only
pass what I need..If I dont use
that command the port will trunk and pass all vlans on the building
network by default..
by using the below config I would be allowing one data vlan, and one
voice vlan..
interface FastEthernet0/1
switchport access vlan 5 >>>data vlan
switchport mode access
switchport voice vlan 10 >>>>voice vlan
no ip address
spanning-tree portfast
##################################
Larry Letterman
Cisco Systems Inc.
##################################
________________________________
From: Ed Lui [mailto:edwlui@gmail.com]
Sent: Tuesday, June 28, 2005 12:28 AM
To: Larry Letterman (lletterm)
Cc: gladston@br.ibm.com; Chris Lewis (chrlewis); ccielab@groupstudy.com;
John Matus
Subject: Re: Voice VLAN - Access ports
Larry,
Forget my last post. I was thinking it in a different way. I think the
reason why you put "allowed vlan" is to stop traffic from other vlan
going to the phone port since it is configured as trunk. Looks like
there is no benefit to configure it as trunk port. Because the access
port(still trunk) configuration don't even have to deal with other vlans
coming into the port. Agree ?
Thanks,
Ed Lui
On 6/27/05, Ed Lui <edwlui@gmail.com> wrote:
Larry,
Thanks ! it is much more clear now. But I am thinking, since you
have the trunk port configuration + allowed vlan(s) across the trunk. My
question is :
1. A trunk link can be connected to the phone's PC port with
trunk configuration on the switch port ?
2. With just the access mode configuration(without any trunk
configuration), no vlan(s) will be allowed other than the voice vlan and
access vlan ? Is it the difference between the trunk configuration and
access port configuration ?
Ed Lui
On 6/27/05, Larry Letterman (lletterm) < lletterm@cisco.com
<mailto:lletterm@cisco.com> > wrote:
Ed,
This is one of our switches using the trunk method...
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 152
switchport trunk allowed vlan 1,152,155,1002-1005
switchport mode trunk
switchport voice vlan 155
no ip address
spanning-tree portfast
!
##################################
Larry Letterman
Cisco Systems Inc.
##################################
-----Original Message-----
From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On Behalf Of
Larry Letterman (lletterm)
Sent: Monday, June 27, 2005 10:51 PM
To: Ed Lui
Cc: gladston@br.ibm.com; Chris Lewis (chrlewis);
ccielab@groupstudy.com;
John Matus
Subject: RE: Voice VLAN - Access ports
when we introduced the ip voice platform, they came up
with the aux vlan
command..
plain and simple, it allows the ethernet port to carry 2
vlans, which is
just a trunk port in disguise...to my knowledge you
cannot carry more
than 1 vlan across ethernet ports without trunking the
port somehow...
The ios based switches, c3550 and C6500, can either
trunk the vlans or
use access switchport settings and voice vlan
commands...in my networks,
I use the switchport access and voice vlan for my ios
based telephony
switches...
the difference is that access ports are for carrying 1
vlan or subnet
data and trunk ports are for carrying two or more vlans
/subnets on that
port...
##################################
Larry Letterman
Cisco Systems Inc.
##################################
________________________________
From: Ed Lui [mailto: edwlui@gmail.com
<mailto:edwlui@gmail.com> ]
Sent: Monday, June 27, 2005 10:35 PM
To: Larry Letterman (lletterm)
Cc: gladston@br.ibm.com ; Chris Lewis (chrlewis);
ccielab@groupstudy.com;
John Matus
Subject: Re: Voice VLAN - Access ports
Thanks Larry. Any idea what is the difference between
the trunk and
access ?
On 6/27/05, Larry Letterman (lletterm) <
lletterm@cisco.com
<mailto: lletterm@cisco.com <mailto:lletterm@cisco.com>
> > wrote:
It works either way...
The ios command for voice vlan does the same
thing that
Aux vlans does for catos...
Or you can use the trunk command in ios switches
to trunk more
Than one vlan....
##################################
Larry Letterman
Cisco Systems Inc.
##################################
-----Original Message-----
From: nobody@groupstudy.com [mailto:
nobody@groupstudy.com <mailto:nobody@groupstudy.com> ] On
Behalf Of
Ed Lui
Sent: Monday, June 27, 2005 9:44 PM
To: gladston@br.ibm.com
Cc: Chris Lewis (chrlewis);
ccielab@groupstudy.com; John Matus
Subject: Re: Voice VLAN - Access ports
Gladston,
No doubt. There is NO ONE document can prove if
it is correct or
not. As
I mentioned in previous post. Access port
carries traffic for
more than
1 vlan is not what most people learned. But this
is what I found
from
cisco documentation and not just one. I checked
both 3550 and
6500(voice
vlan=aux
vlan) configuration from cisco.com <
http://cisco.com <http://cisco.com> >. Plus
I(myself)
actually labbed it up with 3550EMI+7960phone.
Well, did I
overlook
something? It is possible. I am not a Network
Engineer but
really want
to figure out the technology. So far, I know
both trunk port and
access
port work as well.
Actually, I keep thinking about the pros and
cons for both. What
is the
advantage, overhead...etc. Like Brian Dennis
said in one of the
online
seminars. I truly agree, understand the
technology is the key
point.
Passing the lab is important. I don't feel good
to myself if I
get a
chance to hold a number but don't know what
myself is doing.
Wish Chris
Lewis can find out for us.
:)
Ed Lui
P.S. Technology is changing every day. The
standard is based
upon the
creator. Who knows if one day access port can
carry no more than
5
vlans. It is all up to the creator.
On 6/27/05, gladston@br.ibm.com <
gladston@br.ibm.com
<mailto:gladston@br.ibm.com > > wrote:
>
>
> Thanks for this invaluable feedback.
>
> Looking at Maurilio's book, page 96, as Chris
pointed:
>
> Would you agree with the author statement
"Ensure...that the
native
> vlan is 2".
> As I see it, it is not necessary to configure
native vlan (to
have
> vlan 2 for data and vlan 50 for voice). One
could let the
native vlan
> as default, configure the voice vlan to 50 and
the data vlan
to 2.
>
> Do you see any reason to configure native vlan
to the same
vlan as the
> data vlan? (my point is that as 7960 talks
dot1q, it can tag
data vlan
> to any value)
>
> Have you seen voice vlan configured on a
access port? (I am
asking
> this because on the last time I posted this
subject - sorry to
post it
> again, but it was not clear - a guy said it
was possible). I
argued:
> "How would the voice vlan be transported if
there is no
dot1Q?"
> (similar as Chris
> explained) and the guy answered that it was an
exception.
> It is hard to understand when the hardware is
not available to
test :)
>
>
> Cordially
>
------------------------------------------------------------------
> Gladston
>
>
>
> *"Chris Lewis \(chrlewis\)" <
chrlewis@cisco.com <mailto:chrlewis@cisco.com> >*
>
> 25/06/2005 12:31
> To
> "Ed Lui" < edwlui@gmail.com> cc
> "John Matus" < jmatus@pacbell.net>, Alaerte
Gladston
> Vidali/Brazil/IBM@IBMBR, <
ccielab@groupstudy.com
<mailto: ccielab@groupstudy.com
<mailto:ccielab@groupstudy.com> > > Subject
> RE: Voice VLAN - Access ports
>
>
>
>
>
>
>
> Hi Ed,
>
> Thanks for the reply, this has been a valuable
exchange for
me, as it
> has made me rethink some things. However,
please consider that
Cisco
> documentation on the web is imperfect,
sometimes it is
accurate from
> one point of view, but can easily lead to
incorrect
conclusions, and
> sometimes it is flat out wrong and won't work
(my favorite
current
> example is the configuration for Outbound
Route Filtering, it
is
> missing the reference to the prefix list,
without which it
does not
> work). Cisco documentation on the web is a
tremendous
resource, but it
> should only be taken as a guide for what the
starting point
for
configuration in a lab should be IMHO.
>
> The best configuration example I have seen of
voice vlan comes
from
> Maurilio Gorito's routing and switching
practice lab book by
Cisco
> press. In practice lab 2, configurations are
shown for
connecting a
> 7960 that does trunking, and a 7905 that does
not do trunking.
>
> The port connecting to a 7960 is configured
for trunking, and
the port
> connected to the 7905 is not. This is given on
p96
>
> 3550 config for 7960 phone
> int fa0/16
> switchport access vlan 2
> switchport trunk encapsulation dot1q
> switchport trunk native vlan 2
> switchport mode trunk
> switchport voice vlan 50
> no ip address
> duplex full
> speed 100
> spanning-tree portfast
>
> 3550 config for 7905 phone
> int fa0/17
> switchport access vlan 50
> no ip address
> duplex half
> speed 10
>
> The explanation is given as follows:
>
> The 7960 has the capability to trunk to the
3550 as it has an
on-board
> 3 port switch and can separate the voice and
data traffic
appropriately.The7905 phone only has 10 base T
and needs manual
insertion in to the voice
> vlan. Ensure that the port connecting to the
7960 is
configured as a
> trunk using dot1q and that the native vlan is
2.
>
> If you also look at the Cisco Press book Cisco
Catalyst QoS,
by
> Flanagan et al, on page 63 you see the
following:
>
> "Through the use of dot1q trunks, voice
traffic from an IP
phone
> connected to an access port can reside on a
separate VLAN and
subnet.
> The workstation attached to the Ip phone might
still reside on
the
> access, or native VLAN........Subsequently,
with the use of
voice
> VLANs, all traffic is tagged to and from the
Cisco IP phone
and
Catalyst switch."
>
> Now one could argue that things like portfast
are not needed
for a
> trunk mode in this configuration, and I would
agree, but that
is what
> Maurilio gave in his book, and likely what
they would be
looking for
> on the lab exam, which is the purpose of this
list :)
>
> I think there are at least two sources of
confusion in this
documentation.
> First is that not all IP phones are created
equal, some do
trunking
> and some don't. The other is a potential dual
use of the
phrase access
> port. In some contexts it can mean a non
trunnking port, in
others it
> can mean an ethernet port (which can be
configured for
trunking or
non-trunking).
>
> Cheers
>
> Chris
> ------------------------------
>
>
> *From:* Ed Lui [mailto: edwlui@gmail.com]
> *Sent:* Saturday, June 25, 2005 12:27 AM
> *To:* Chris Lewis (chrlewis)
> *Cc:* John Matus; gladston@br.ibm.com ;
ccielab@groupstudy.com
> *Subject:* Re: Voice VLAN - Access ports
>
> Chris,
>
> I have been struggling about 2 vlans on an
access port for a
while. I
> know it works with either access port or trunk
port let say
with a
> 7960. What I understand is, an access port can
not carry
traffic for
more than 1 vlan.
> Somehow, the documentation told me voice vlan
is an exception.
Then I
> labbed it up myself(3550 EMI + 7960). The
result is an access
port can
> carry data on one vlan and voice on another
within the same
access
> port. And that is what the documentation said,
too.
>
> Consider those underlined below. Portfast is
for access port
and not
> for trunk port.
>
>
> *Voice VLAN Configuration Guidelines*
>
> These are the voice VLAN configuration
guidelines:
>
> - *You should configure voice VLAN on
switch access ports.*
> - Before you enable voice VLAN, we
recommend that you
enable QoS on
> the switch by entering the mls qosglobal
configuration
command and
configure
> the port trust state to trust by entering
the mls qos
trustcosinterface
> configuration command.
> - *The Port Fast feature is automatically
enabled when
voice VLAN
is
> configured*. When you disable voice VLAN,
the Port Fast
feature is
> not automatically disabled.
>
>
> Per your config :
> Int fa0/16
> Switch access vlan 2
> Switch trunk encap dot1q<---to be
removed-----> Switch trunk
native
> vlan 2<---to be removed-----> Switch mode
trunk<---to be
removed----->
> Switch voice vlan 50 switchport priority
extend cos 0 mls qos
trust
> cos < or "mls qos trust device cisco-phone"
should also work
> >
>
> It works with those lines removed. But also
WORKS WITH THOSE
LINES. I
> am so confuse about the configurations. Wish
someone can
explain the
> Pros and Cons between the 2. Finally, I also
have the same
book you
> guys have and understand it says trunk port
configuration
needs to be
> included. On the other hand, documentation
from *cisco.com*
> <http://cisco.com > said access port.
>
> :)
> Ed Lui
>
>
>
>
>
>
> On 6/24/05, *Chris Lewis (chrlewis)*
<*chrlewis@cisco.com*< chrlewis@cisco.com
<mailto:chrlewis@cisco.com> >>
> wrote:Hi,
>
> John, that is correct, the 7960 uses trunking,
the cheaper
ones do
not.
>
> Ed, my question to you is if you are told to
configure a
switch port
> to have voice traffic from the phone in vlan
50 and data
traffic from
> a PC attached to the phone in vlan 2, how can
you do that
without
> configuring trunking on the port? Clearly you
would not want
data
> traffic rom the PC in the same vlan as the
voice traffic,
otherwise it
> ceases to be a voice vlan :)
>
> Chris
>
> -----Original Message-----
> From: John Matus [mailto:*jmatus@pacbell.net*
<jmatus@pacbell.net> ]
> Sent: Friday, June 24, 2005 9:32 PM
> To: Ed Lui; Chris Lewis (chrlewis)
> Cc: *gladston@br.ibm.com*
<gladston@br.ibm.com>;
*ccielab@groupstudy.com*<
ccielab@groupstudy.com>
> Subject: Re: Voice VLAN - Access ports
>
> my ciscopress lab book is in the
car...........but....
> i think it all depends on which type of phone
you are using.
>
> i believe that the cheapy phones actually use
the "switch
access vlan"
> for their traffic and a more expensive one <if
i can remember
> correctly, the 7960 phone??> uses trunking.
>
>
> Regards,
>
> John D. Matus
> MCSE, CCNP
> Office: 818-782-2061
> Cell: 818-430-8372
> * jmatus@pacbell.net * <jmatus@pacbell.net>
> ----- Original Message -----
> From: "Ed Lui" <* edwlui@gmail.com* <
edwlui@gmail.com >>
> To: "Chris Lewis (chrlewis)"
<*chrlewis@cisco.com*
> < chrlewis@cisco.com
<mailto:chrlewis@cisco.com> >>
> Cc: <* gladston@br.ibm.com *
<gladston@br.ibm.com>>; <*
> ccielab@groupstudy.com* <
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> >>
> Sent: Friday, June 24, 2005 6:34 PM
> Subject: Re: Voice VLAN - Access ports
>
>
> > Chris,
> > It doesn't sound like what I learned from
the DocCD.
According to
> > the DocCD. Switch port connected to IPphone
should be
configured as
> > access
>
> > port
> > and NOT TRUNK. Take a look :
> > Voice VLAN Configuration Guidelines
> >
> > These are the voice VLAN configuration
guidelines:
> >
> > - You should configure voice VLAN on switch
access ports.
> > - Before you enable voice VLAN, we recommend
that you enable
QoS on
> > the switch by entering the mls qos global
configuration
command and
> > configure the port trust state to trust by
entering the mls
qos
> trust
> > cos interface configuration command.
> > - The Port Fast feature is automatically
enabled when voice
VLAN is
> > configured. When you disable voice VLAN, the
Port Fast
feature is
> not
> > automatically disabled.
> > - When you enable port security on an
interface that is also
> > configured with a voice VLAN, you must set
the maximum
allowed
> secure
> > addresses on the port to at least two.
> > - If any type of port security is enabled on
the access
VLAN,
> dynamic
> > port security is automatically enabled on
the voice VLAN.
> > - You cannot configure static secure or
sticky secure MAC
addresses
> on
> > a voice VLAN.
> > - Voice VLAN ports can also be these port
types:
> > - Dynamic access port. See the "Configuring
Dynamic Access
Ports on
> > VMPS Clients"
> >
> section<
>
*http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> *
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> a1/35
> > 50scg/swvlan.htm#94106>for
> > more information.
> > - Secure port. See the "Configuring Port
Security"
> >
>
section<*
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114>
e*<ht
tp://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> a1/35
> > 50scg/swtrafc.htm#86378>for
> > more information.
> > - 802.1X authenticated port. See the "Using
802.1X with
Voice VLAN
> > Ports"
> >
> section<*
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/121
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/121>
> 14e
> *
<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e> >
> a1/35
> > 50scg/sw8021x.htm#50544>for
> > more information.
> > - Protected port. See the "Configuring
Protected Ports"
> >
> section<*
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e
> *
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12114e >
> a1/35
> > 50scg/swtrafc.htm#56161>for
> > more information
> >
> > HTH,
> > Ed Lui
> >
> > On 6/24/05, Chris Lewis (chrlewis) <
* chrlewis@cisco.com <mailto:chrlewis@cisco.com>
*<chrlewis@cisco.com>>
> wrote:
> >>
> >> This is a config that I believe works to
make vlan 50 the
voice
> >> vlan, and vlan 2 to be the data vlan, then
sets data from
the PC to
> >> CoS 0
> and
> >> trusts CoS from the phone.
> >>
> >> Mls qos
> >>
> >> Vlan 50
> >> Name voice vlan
> >>
> >> Int fa0/16
> >> Switch access vlan 2
> >> Switch trunk encap dot1q
> >> Switch trunk native vlan 2
> >> Switch mode trunk
> >> Switch voice vlan 50
> >> switchport priority extend cos 0
> >> mls qos trust cos
> >>
> >> The switch access configuration in the
interface defines
what vlan
> the
> >> port belongs to if for some reason the port
stops trunking.
Voice
> vlan
> >> has to work on a trunk port for there to be
traffic that
are
> >> members
> of
> >> two vlans on it.
> >>
> >> It could be possible that the documentation
you refer to is
listing
> >> a restriction for configuring port security
in addition to
voice
> >> vlan, although I don't know for sure.
> >>
> >> Chris
> >>
> >> -----Original Message-----
> >> From: *nobody@groupstudy.com* <
nobody@groupstudy.com <mailto:nobody@groupstudy.com> >
[mailto:*
> nobody@groupstudy.com* <nobody@groupstudy.com
> ] On Behalf Of
> >> *gladston@br.ibm.com* <
gladston@br.ibm.com>
> >> Sent: Wednesday, June 22, 2005 12:14 PM
> >> To: * ccielab@groupstudy.com
<mailto:ccielab@groupstudy.com> * <
ccielab@groupstudy.com <mailto:ccielab@groupstudy.com> >
> >> Subject: Voice VLAN - Access ports
> >>
> >> Hi,
> >>
> >> Looking for Port security information I
read this:
> >>
> >> "Voice VLAN is only supported on access
ports and not on
trunk
> >> ports, even though the configuration is
allowed"
> >>
> >>
> *
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/sc
<
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/sc
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/sc>
>
> g/s
>
*<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/s
> cg/s>
> >> wtrafc.htm#wp1038501
> >>
> >> Some time ago I was researching about this
subject (if it
would be
> >> allowed to configure an interface connected
to an IPPhone
with
> >> 'switchport mode trunk').
> >> One of the answers was 'yes'.
> >>
> >> Do you know if an IPPhone only works if the
port is
configured as
> access
> >> port?
> >> If yes, how does it work, considering the
previous Cisco
statement?
> >>
> >> Thanks for any feedback.
> >>
> >>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:45 GMT-3