Re: if voice phone supports 802.1q should i config the port as

From: Petr Lapukhov (petrsoft@gmail.com)
Date: Thu Jun 01 2006 - 10:09:38 ART

• Next message: Chris Lewis: "Re: if voice phone supports 802.1q should i config the port as"
• Previous message: Schulz, Dave: "RE: frame-relay fragment & exclude voice pakkets from being"
• Maybe in reply to: Petr Lapukhov: "Re: if voice phone supports 802.1q should i config the port as"
• Next in thread: Chris Lewis: "Re: if voice phone supports 802.1q should i config the port as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dave,

With Catalyst 3550 port-security works fine on trunk ports, as well as with
voice-vlan enabled ports. Just check how the voice-port macro configures
port-security parameters.

HTH
Petr

2006/6/1, Schulz, Dave <DSchulz@dpsciences.com>:
>
> So, since you have to use the switchport mode access when using port
> security, I am assuming that the this cannot be used when a phone is
> attached (needing to use trunking)?
>
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Scott Morris
> Sent: Thursday, June 01, 2006 8:44 AM
> To: 'Petr Lapukhov'
> Cc: 'Victor Cappuccio'; 'Vinu'; 'Cisco certification'
> Subject: RE: if voice phone supports 802.1q should i config the port as
> trunk
>
> Where's the fun in that??? Actually, after a little poking around, you
> are
> correct that you CAN use switchport mode access.. This was introduced
> as a
> "fix", however.... Certain features, like port-security, require that
> you
> be on an access port which defeats the purpose of trunking to your
> phone...
>
> In THIS example, the voice-vlan command has the added effect of allowing
> tagged traffic to only one vlan. Kinda obviates the trunking idea, but
> allows it through exceptions. I guess the Voice Design Guide (calling
> for
> port-security) initially got a bit ahead of the code development guys.
> :)
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> #153, CISSP, et al.
> CCSI/JNCI
> IPExpert CCIE Program Manager
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> _____
>
> From: Petr Lapukhov [mailto:petrsoft@gmail.com]
> Sent: Thursday, June 01, 2006 1:00 AM
> To: Scott Morris
> Cc: Victor Cappuccio; Vinu; Cisco certification
> Subject: Re: if voice phone supports 802.1q should i config the port as
> trunk
>
>
> Scott,
>
> just to break the tie :) Let's ask Cisco's hardware:
>
> SW1(config)#interface fastEthernet 0/21
> SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200
>
> SW1#sh running-config interface fastEthernet 0/21
> Building configuration...
>
> Current configuration : 734 bytes
> !
> interface FastEthernet0/21
> switchport access vlan 10
> switchport mode access
> switchport voice vlan 200
> switchport port-security maximum 3
> switchport port-security
> switchport port-security aging time 2
> switchport port-security violation restrict
> switchport port-security aging type inactivity
> mls qos trust device cisco-phone
> mls qos trust cos
> macro description cisco-phone
> auto qos voip cisco-phone
> wrr-queue bandwidth 10 20 70 1
> wrr-queue min-reserve 1 5
> wrr-queue min-reserve 2 6
> wrr-queue min-reserve 3 7
> wrr-queue min-reserve 4 8
> wrr-queue cos-map 1 0 1
> wrr-queue cos-map 2 2 4
> wrr-queue cos-map 3 3 6 7
> wrr-queue cos-map 4 5
> priority-queue out
> spanning-tree portfast
> spanning-tree bpduguard enable
>
> SW1#show parser macro name cisco-phone
> Macro name : cisco-phone
> Macro type : default interface
> # Cisco IP phone + desktop template
>
> # macro keywords $access_vlan $voice_vlan
>
> # VoIP enabled interface - Enable data VLAN
> # and voice VLAN
> # Recommended value for access vlan should not be 1
> switchport access vlan $access_vlan
> switchport mode access
>
> # Update the Voice VLAN value which should be
> # different from data VLAN
> # Recommended value for voice vlan should not be 1
> switchport voice vlan $voice_vlan
>
> # Enable port security limiting port to a 3 MAC
> # addressess -- One for desktop and two for phone
> switchport port-security
> switchport port-security maximum 3
>
> # Ensure port-security age is greater than one minute
> # and use inactivity timer
> switchport port-security violation restrict
> switchport port-security aging time 2
> switchport port-security aging type inactivity
>
> # Enable auto-qos to extend trust to attached Cisco phone
> auto qos voip cisco-phone
>
> # Configure port as an edge network port
> spanning-tree portfast
> spanning-tree bpduguard enable
>
> HTH
> Petr
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Chris Lewis: "Re: if voice phone supports 802.1q should i config the port as"
• Previous message: Schulz, Dave: "RE: frame-relay fragment & exclude voice pakkets from being"
• Maybe in reply to: Petr Lapukhov: "Re: if voice phone supports 802.1q should i config the port as"
• Next in thread: Chris Lewis: "Re: if voice phone supports 802.1q should i config the port as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART