Switch VLAN, Voice/Data Port configuration questions

Unanswered Question
Aug 20th, 2007
User Badges:

I have some questions about the following port configuration on the switches:



interface FastEthernet0/9

switchport mode access

switchport voice vlan 3

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos trust device cisco-phone

mls qos trust cos

no mdix auto

spanning-tree portfast

spanning-tree bpduguard enable




1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?


2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
sundar.palaniappan Mon, 08/20/2007 - 13:23
User Badges:
  • Green, 3000 points or more

""1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?""


Yes. The default access VLAN is 1 and therefore the non-voice hosts will be put in VLAN 1.


""2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?""


No. Every VLAN has to have it's own IP subnet as they are separate broadcast domains. As such the phones need to use an IP address from VLAN 3 subnet.


HTH


Sundar

Pavel Bykov Mon, 08/20/2007 - 13:27
User Badges:
  • Silver, 250 points or more

Hi Sundar. We answered simultaneously, and gave the same answer :)

wilson_1234_2 Mon, 08/20/2007 - 14:56
User Badges:

Thanks for the reply.


All braches are configured the same.


When I do a "sh vlan" I see the different ports showing up in the differnet VLANs, but the IP Addresses are all in the same subnet for that branch.



sundar.palaniappan Mon, 08/20/2007 - 15:56
User Badges:
  • Green, 3000 points or more

If a host connected to vlan 3 is using an address from vlan 1's IP scope then that user on vlan 3 wouldn't be able to talk to hosts outside of vlan 3. Are those hosts able to talk to hosts on other VLANs?


Let's say you have the following setup then the host connected to vlan 1 would use an address starting with 192.168.1.x and the vlan 3 host would use an address from 192.168.3.x subnet for inter-vlan routing to work. The default gateway for those hosts would be the router/L3 switch's respective interface address.


int f0/1

vlan 1


int f0/3

vlan 3


int vlan 1

ip add 192.168.1.1 255.255.255.0


int vlan 3

ip add 192.168.3.1 255.255.255.0


HTH


Sundar



wilson_1234_2 Tue, 08/21/2007 - 07:11
User Badges:

Sorry, but I am a doofus,


The router is configured with subinterfaes and the switch is trunking VLANs 1,2 and 3.


I didn't see that before, you are completely correct as always.


But this brings up a questions about VLANs in general:


Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.


Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?


No physical isolation but layer 2 VLAN and no inter VLAN routing.


Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches?


Thanks.

sundar.palaniappan Tue, 08/21/2007 - 10:10
User Badges:
  • Green, 3000 points or more

Wilson,


Good questions.


See the responses inline.


""Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.""


That's perfectly OK.


""Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?""


Actually this isn't a recommended security design as it can potentially expose the more trusted side to attacks from the less trusted side. A good security design should have physical separation of networks according to the trust level.


""No physical isolation but layer 2 VLAN and no inter VLAN routing.""


If there's no physical isolation then this setup is at the least recommended.


""Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches? ""


As stated above if possible then physical separation is a better security design.



HTH


Sundar



Pavel Bykov Mon, 08/20/2007 - 13:26
User Badges:
  • Silver, 250 points or more

1. If no VLAN configured, it will default to a switch's default VLAN. Normally, that is VLAN 1. You can check this by issuing "show interface status"


2. In short, no. Phones and users can coexist on one VLAN, but it is not recommended. Different VLANs means that they have to be routed by different SVIs or Router interfaces. You cannot configure same subnet on two router interfaces or SVIs on one device.

Besides, the point is to segment your broadcast domain (e.g. to separate users from phones) so having two VLANs in one subnet does not make any sense.



This configuration puts hosts that are not IP PHONES into default VLAN (VLAN 1) and all devices that are IP PHONES into VLAN 3.

Actions

This Discussion