From: Scott Morris (swm@emanon.com)
Date: Thu Jun 01 2006 - 10:02:12 ART
That's 'cause the coding guys caught up!
But not all switches support port-security on trunks. :)
It's worse than competition one-upping each other. It's the design guide
folks versus the programmers!
_____
From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Thursday, June 01, 2006 8:49 AM
To: swm@emanon.com
Cc: Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk
Yep, all the fun has gone :)
I used dot1q trunks back with 3500XL, and manully pruned all
unneeded stuff :) That was the only annoying stuff with trunk.
Now they seem to _prefer_ access-mode, though port-security
works fine with trunks too :)
Petr
2006/6/1, Scott Morris <swm@emanon.com>:
Where's the fun in that??? Actually, after a little poking around, you are
correct that you CAN use switchport mode access.. This was introduced as a
"fix", however.... Certain features, like port-security, require that you
be on an access port which defeats the purpose of trunking to your phone...
In THIS example, the voice-vlan command has the added effect of allowing
tagged traffic to only one vlan. Kinda obviates the trunking idea, but
allows it through exceptions. I guess the Voice Design Guide (calling for
port-security) initially got a bit ahead of the code development guys. :)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
_____
From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Thursday, June 01, 2006 1:00 AM
To: Scott Morris
Cc: Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk
Scott,
just to break the tie :) Let's ask Cisco's hardware:
SW1(config)#interface fastEthernet 0/21
SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200
SW1#sh running-config interface fastEthernet 0/21
Building configuration...
Current configuration : 734 bytes
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree portfast
spanning-tree bpduguard enable
SW1#show parser macro name cisco-phone
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
# macro keywords $access_vlan $voice_vlan
# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan
# Enable port security limiting port to a 3 MAC
# addressess -- One for desktop and two for phone
switchport port-security
switchport port-security maximum 3
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
HTH
Petr
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART