RE: if voice phone supports 802.1q should i config the port as

From: Scott Morris (swm@emanon.com)
Date: Thu Jun 01 2006 - 10:10:13 ART

• Next message: Eric.Stuhl@ferguson.com: "RE: if voice phone supports 802.1q should i config the port as"
• Previous message: Babar Hameed: "HSRP with port security"
• Maybe in reply to: Scott Morris: "RE: if voice phone supports 802.1q should i config the port as"
• Next in thread: Eric.Stuhl@ferguson.com: "RE: if voice phone supports 802.1q should i config the port as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

CDP has always been leveraged for this (the original use of "voice vlan"
command.
 
The old vs. new way is whether you're letting it be trunk (3550's do this
dynamically by default) or setting in access mode. Access mode DOES allow
easier configuration since tagged frames are ignored instead of the old days
where we had to manually restrict each trunk to the data + voice vlan
(boring stuff). In the new way, CDP is also used to have an exception list
to the normal method of access mode where tagged frames are ignored.
 
Port security NOW works with trunks or access ports, but it's more recent.
And not on all switches AFAIK.

  _____

From: Chris Lewis [mailto:chrlewiscsco@gmail.com]
Sent: Thursday, June 01, 2006 9:05 AM
To: Scott Morris
Cc: Petr Lapukhov; Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk

Scott,
 
I don't understand what you mean by this post. There are two ways of
configuring voice vlan, the old and new, the old explicitly configures the
port as a trunk, the new leverages CDP to exchange vlan information between
the switch and phone. Both end up in the switch port trunking. This is
easily seen if you configure both options on a router and issue the show int
f0/5 switchport command.
 
Port security will work for either configuration, with the caveat that you
need to increase the number of secure addresses by 2.
 
Chris

 
On 6/1/06, Scott Morris <swm@emanon.com> wrote:

Where's the fun in that??? Actually, after a little poking around, you are
correct that you CAN use switchport mode access.. This was introduced as a
"fix", however.... Certain features, like port-security, require that you
be on an access port which defeats the purpose of trunking to your phone...

In THIS example, the voice-vlan command has the added effect of allowing
tagged traffic to only one vlan. Kinda obviates the trunking idea, but
allows it through exceptions. I guess the Voice Design Guide (calling for
port-security) initially got a bit ahead of the code development guys. :)

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com

_____

From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Thursday, June 01, 2006 1:00 AM
To: Scott Morris
Cc: Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk

Scott,

just to break the tie :) Let's ask Cisco's hardware:

SW1(config)#interface fastEthernet 0/21
SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200

SW1#sh running-config interface fastEthernet 0/21
Building configuration...

Current configuration : 734 bytes
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree portfast
spanning-tree bpduguard enable

SW1#show parser macro name cisco-phone
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template

# macro keywords $access_vlan $voice_vlan

# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan

# Enable port security limiting port to a 3 MAC
# addressess -- One for desktop and two for phone
switchport port-security
switchport port-security maximum 3

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable

HTH
Petr

• Next message: Eric.Stuhl@ferguson.com: "RE: if voice phone supports 802.1q should i config the port as"
• Previous message: Babar Hameed: "HSRP with port security"
• Maybe in reply to: Scott Morris: "RE: if voice phone supports 802.1q should i config the port as"
• Next in thread: Eric.Stuhl@ferguson.com: "RE: if voice phone supports 802.1q should i config the port as"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART