conflicting info on voice vlan config

rakemrakem Member Posts: 800
in CCNP
OK i need to get something cleared up because i have been reading conflicting info.

1) Should voice vlans ports be configured as access or trunk ports? Does it really matter, or will it affect the QoS config?

2) Is it ok to use port-security on ports with voice vlans enabled, either static or dynamic, as long as the maximum is 2 or more.??

3) sticky mac addresses are a big no no on voice vlan ports correct?



thanks!
CCIE# 38186
showroute.net
· Share on FacebookShare on Twitter

Comments

  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    The ports are still access ports. "Trunking" is a misnomer. You're not actually trunking different vlans. You're tagging voice (or non-voice) traffic to a specific vlan and leaving the opposite traffic untagged to use the default vlan.

    Here is a typical config:

    interface range FastEthernet0/1 - 23
    switchport access vlan 101
    switchport mode access
    switchport voice vlan 105

    Yes, using port security is fine. I usually enable portfast and BPDU Guard at a minimum. Portfast is usually good enough but BPDU guard slams the port so when someone inevitably plugs in a switch and tries to (either intentionally or unintentionally) screw the switching domain they have to call in to get it fixed. It's a great way to point out the dummies automatically.

    I don't bother with MAC bindings anyway. Adds/moves/changes are a hassle as it is. MAC bindings just add to it.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
    · Share on FacebookShare on Twitter
  • MACattackMACattack Member Posts: 121
    1) Should voice vlans ports be configured as access or trunk ports? Does it really matter, or will it affect the QoS config

    Well it's okay to use access port BUT some issues if you implement QOS. WHY, because
    an 802.1q carries 32 bytes which includes TPI, CFI, VLAND ID and the important 3 bit PRI whichc use for Class of Service for Ethernet.

    The IP phone sends 802.1Q/P (Cos) frames to the workgroup switch. The frames leaving the IP phone toward the workgroup (access) switch have the voice VLAN number in the VLAN ID field, and their priority (CoS) field is usually set to 5 (decimal), which is equal to 101 binary, interpreted as critical or voice bearer.

    So if you are concern about quality then you need to specify a separate VLAN for voice.

    2)Is it ok to use port-security on ports with voice vlans enabled, either static or dynamic, as long as the maximum is 2 or more.??

    Yes it is okay as long you mentioned switchport port-security max 2 on the interface but if you are planning to transfer the use's phone to other port you
    need to manually do the administration to be able to allow re-learn the mac address

    A switchport port-security can learn 1 to 1024 address and by default it will only learn one
    L2 address you need to specify the maximum.

    A switchport port-security mac-address sticky converts all dynamic mac add to secure mac address. ( I am not sure if I am correct if you use mac address sticky it will only learn 1 address). But as far as I know you can use the voice parameter at the end of the command.
    3) sticky mac addresses are a big no no on voice vlan ports correct?
    Well it depends on the model of the switch, you can use the switchport port-security mac-address vlan # voice but first you need to configure voice vlan on the port.

    By default a switchport is set to no aging time because any host that is in silent will be remove in the mac address table.



    I hope this helps.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.