From: Petr Lapukhov (petrsoft@gmail.com)
Date: Thu Jun 01 2006 - 09:48:47 ART
Yep, all the fun has gone :)
I used dot1q trunks back with 3500XL, and manully pruned all
unneeded stuff :) That was the only annoying stuff with trunk.
Now they seem to _prefer_ access-mode, though port-security
works fine with trunks too :)
Petr
2006/6/1, Scott Morris <swm@emanon.com>:
>
> Where's the fun in that??? Actually, after a little poking around, you
> are correct that you CAN use switchport mode access.. This was introduced
> as a "fix", however.... Certain features, like port-security, require that
> you be on an access port which defeats the purpose of trunking to your
> phone...
>
> In THIS example, the voice-vlan command has the added effect of allowing
> tagged traffic to only one vlan. Kinda obviates the trunking idea, but
> allows it through exceptions. I guess the Voice Design Guide (calling for
> port-security) initially got a bit ahead of the code development guys. :)
>
>
> Scott Morris, *CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153**, CISSP, et al.*
> *CCSI/JNCI*
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> ------------------------------
> *From:* Petr Lapukhov [mailto:petrsoft@gmail.com]
> *Sent:* Thursday, June 01, 2006 1:00 AM
> *To:* Scott Morris
> *Cc:* Victor Cappuccio; Vinu; Cisco certification
> *Subject:* Re: if voice phone supports 802.1q should i config the port as
> trunk
>
> Scott,
>
> just to break the tie :) Let's ask Cisco's hardware:
>
> SW1(config)#interface fastEthernet 0/21
> SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200
>
> SW1#sh running-config interface fastEthernet 0/21
> Building configuration...
>
> Current configuration : 734 bytes
> !
> interface FastEthernet0/21
> switchport access vlan 10
> switchport mode access
> switchport voice vlan 200
> switchport port-security maximum 3
> switchport port-security
> switchport port-security aging time 2
> switchport port-security violation restrict
> switchport port-security aging type inactivity
> mls qos trust device cisco-phone
> mls qos trust cos
> macro description cisco-phone
> auto qos voip cisco-phone
> wrr-queue bandwidth 10 20 70 1
> wrr-queue min-reserve 1 5
> wrr-queue min-reserve 2 6
> wrr-queue min-reserve 3 7
> wrr-queue min-reserve 4 8
> wrr-queue cos-map 1 0 1
> wrr-queue cos-map 2 2 4
> wrr-queue cos-map 3 3 6 7
> wrr-queue cos-map 4 5
> priority-queue out
> spanning-tree portfast
> spanning-tree bpduguard enable
>
> SW1#show parser macro name cisco-phone
> Macro name : cisco-phone
> Macro type : default interface
> # Cisco IP phone + desktop template
>
> # macro keywords $access_vlan $voice_vlan
>
> # VoIP enabled interface - Enable data VLAN
> # and voice VLAN
> # Recommended value for access vlan should not be 1
> switchport access vlan $access_vlan
> switchport mode access
>
> # Update the Voice VLAN value which should be
> # different from data VLAN
> # Recommended value for voice vlan should not be 1
> switchport voice vlan $voice_vlan
>
> # Enable port security limiting port to a 3 MAC
> # addressess -- One for desktop and two for phone
> switchport port-security
> switchport port-security maximum 3
>
> # Ensure port-security age is greater than one minute
> # and use inactivity timer
> switchport port-security violation restrict
> switchport port-security aging time 2
> switchport port-security aging type inactivity
>
> # Enable auto-qos to extend trust to attached Cisco phone
> auto qos voip cisco-phone
>
> # Configure port as an edge network port
> spanning-tree portfast
> spanning-tree bpduguard enable
>
> HTH
> Petr
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART