From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Thu Jun 01 2006 - 12:29:07 ART
I found this example on the DocCD that is pretty good (under the switch
...port based traffic control). Also, note that the data vlan does not
have a native configuration added....not sure if this an issue, or,
needs to be configured at the port level. Thoughts?
This example shows how to enable sticky port security on a port, to
manually configure MAC addresses for data VLAN and voice VLAN, and to
set the total maximum number of secure addresses to 20 (10 for data VLAN
and 10 for voice VLAN).
Switch(config)# interface FastEthernet1/0/1
Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 22
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky
0000.0000.0002
Switch(config-if)# switchport port-security mac-address 0000.0000.0003
Switch(config-if)# switchport port-security mac-address sticky
0000.0000.0001 vlan voice
Switch(config-if)# switchport port-security mac-address 0000.0000.0004
vlan voice
Switch(config-if)# switchport port-security maximum 10 vlan access
Switch(config-if)# switchport port-security maximum 10 vlan voice
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Thursday, June 01, 2006 9:10 AM
To: 'Chris Lewis'
Cc: 'Petr Lapukhov'; 'Victor Cappuccio'; 'Vinu'; 'Cisco certification'
Subject: RE: if voice phone supports 802.1q should i config the port as
trunk
CDP has always been leveraged for this (the original use of "voice vlan"
command.
The old vs. new way is whether you're letting it be trunk (3550's do
this
dynamically by default) or setting in access mode. Access mode DOES
allow
easier configuration since tagged frames are ignored instead of the old
days
where we had to manually restrict each trunk to the data + voice vlan
(boring stuff). In the new way, CDP is also used to have an exception
list
to the normal method of access mode where tagged frames are ignored.
Port security NOW works with trunks or access ports, but it's more
recent.
And not on all switches AFAIK.
_____
From: Chris Lewis [mailto:chrlewiscsco@gmail.com]
Sent: Thursday, June 01, 2006 9:05 AM
To: Scott Morris
Cc: Petr Lapukhov; Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk
Scott,
I don't understand what you mean by this post. There are two ways of
configuring voice vlan, the old and new, the old explicitly configures
the
port as a trunk, the new leverages CDP to exchange vlan information
between
the switch and phone. Both end up in the switch port trunking. This is
easily seen if you configure both options on a router and issue the show
int
f0/5 switchport command.
Port security will work for either configuration, with the caveat that
you
need to increase the number of secure addresses by 2.
Chris
On 6/1/06, Scott Morris <swm@emanon.com> wrote:
Where's the fun in that??? Actually, after a little poking around, you
are
correct that you CAN use switchport mode access.. This was introduced
as a
"fix", however.... Certain features, like port-security, require that
you
be on an access port which defeats the purpose of trunking to your
phone...
In THIS example, the voice-vlan command has the added effect of allowing
tagged traffic to only one vlan. Kinda obviates the trunking idea, but
allows it through exceptions. I guess the Voice Design Guide (calling
for
port-security) initially got a bit ahead of the code development guys.
:)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
_____
From: Petr Lapukhov [mailto:petrsoft@gmail.com]
Sent: Thursday, June 01, 2006 1:00 AM
To: Scott Morris
Cc: Victor Cappuccio; Vinu; Cisco certification
Subject: Re: if voice phone supports 802.1q should i config the port as
trunk
Scott,
just to break the tie :) Let's ask Cisco's hardware:
SW1(config)#interface fastEthernet 0/21
SW1(config-if)#macro apply cisco-phone $access_vlan 10 $voice_vlan 200
SW1#sh running-config interface fastEthernet 0/21
Building configuration...
Current configuration : 734 bytes
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust device cisco-phone
mls qos trust cos
macro description cisco-phone
auto qos voip cisco-phone
wrr-queue bandwidth 10 20 70 1
wrr-queue min-reserve 1 5
wrr-queue min-reserve 2 6
wrr-queue min-reserve 3 7
wrr-queue min-reserve 4 8
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree portfast
spanning-tree bpduguard enable
SW1#show parser macro name cisco-phone
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template
# macro keywords $access_vlan $voice_vlan
# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access
# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan
# Enable port security limiting port to a 3 MAC
# addressess -- One for desktop and two for phone
switchport port-security
switchport port-security maximum 3
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone
# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
HTH
Petr
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:31 ART