From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Thu Jun 01 2006 - 10:04:57 ART
So, since you have to use the switchport mode access when using port
security, I am assuming that the this cannot be used when a phone is
attached (needing to use trunking)?
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Thursday, June 01, 2006 8:44 AM
To: 'Petr Lapukhov'
Cc: 'Victor Cappuccio'; 'Vinu'; 'Cisco certification'
Subject: RE: if voice phone supports 802.1q should i config the port as
trunk
Where's the fun in that??? Actually, after a little poking around, you
are
correct that you CAN use switchport mode access.. This was introduced
as a
"fix", however.... Certain features, like port-security, require that
you
be on an access port which defeats the purpose of trunking to your
phone...
In THIS example, the voice-vlan command has the added effect of allowing
tagged traffic to only one vlan. Kinda obviates the trunking idea, but
allows it through exceptions. I guess the Voice Design Guide (calling
for
port-security) initially got a bit ahead of the code development guys.
:)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
_____
From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Thursday, June 01, 2006 1:00 AM
To: Scott Morris
Cc: Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk
Scott,
just to break the tie :) Let's ask Cisco's hardware:
SW1(config)#interface fastEthernet 0/21
SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200
SW1#sh running-config interface fastEthernet 0/21
Building configuration...
Current configuration : 734 bytes
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree portfast
spanning-tree bpduguard enable
SW1#show parser macro name cisco-phone
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
# macro keywords $access_vlan $voice_vlan
# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan
# Enable port security limiting port to a 3 MAC
# addressess -- One for desktop and two for phone
switchport port-security
switchport port-security maximum 3
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
HTH
Petr
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART