Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
20
Helpful
7
Replies

Switch VLAN, Voice/Data Port configuration questions

wilson_1234_2
Level 3
Level 3

‎08-20-2007 12:55 PM - edited ‎03-05-2019 05:59 PM

I have some questions about the following port configuration on the switches:

interface FastEthernet0/9

switchport mode access

switchport voice vlan 3

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos trust device cisco-phone

mls qos trust cos

no mdix auto

spanning-tree portfast

spanning-tree bpduguard enable

1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?

2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?

Labels:
0 Helpful
7 Replies 7

sundar.palaniappan
Level 10
Level 10

‎08-20-2007 01:23 PM

""1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?""

Yes. The default access VLAN is 1 and therefore the non-voice hosts will be put in VLAN 1.

""2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?""

No. Every VLAN has to have it's own IP subnet as they are separate broadcast domains. As such the phones need to use an IP address from VLAN 3 subnet.

HTH

Sundar

Pavel Bykov
Level 5
Level 5
In response to sundar.palaniappan

‎08-20-2007 01:27 PM

Hi Sundar. We answered simultaneously, and gave the same answer :)

0 Helpful

wilson_1234_2
Level 3
Level 3
In response to sundar.palaniappan

‎08-20-2007 02:56 PM

Thanks for the reply.

All braches are configured the same.

When I do a "sh vlan" I see the different ports showing up in the differnet VLANs, but the IP Addresses are all in the same subnet for that branch.

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to wilson_1234_2

‎08-20-2007 03:56 PM

If a host connected to vlan 3 is using an address from vlan 1's IP scope then that user on vlan 3 wouldn't be able to talk to hosts outside of vlan 3. Are those hosts able to talk to hosts on other VLANs?

Let's say you have the following setup then the host connected to vlan 1 would use an address starting with 192.168.1.x and the vlan 3 host would use an address from 192.168.3.x subnet for inter-vlan routing to work. The default gateway for those hosts would be the router/L3 switch's respective interface address.

int f0/1

vlan 1

int f0/3

vlan 3

int vlan 1

ip add 192.168.1.1 255.255.255.0

int vlan 3

ip add 192.168.3.1 255.255.255.0

HTH

Sundar

wilson_1234_2
Level 3
Level 3
In response to sundar.palaniappan

‎08-21-2007 07:11 AM

Sorry, but I am a doofus,

The router is configured with subinterfaes and the switch is trunking VLANs 1,2 and 3.

I didn't see that before, you are completely correct as always.

But this brings up a questions about VLANs in general:

Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.

Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?

No physical isolation but layer 2 VLAN and no inter VLAN routing.

Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches?

Thanks.

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to wilson_1234_2

‎08-21-2007 10:10 AM

Wilson,

Good questions.

See the responses inline.

""Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.""

That's perfectly OK.

""Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?""

Actually this isn't a recommended security design as it can potentially expose the more trusted side to attacks from the less trusted side. A good security design should have physical separation of networks according to the trust level.

""No physical isolation but layer 2 VLAN and no inter VLAN routing.""

If there's no physical isolation then this setup is at the least recommended.

""Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches? ""

As stated above if possible then physical separation is a better security design.

HTH

Sundar

Pavel Bykov
Level 5
Level 5

‎08-20-2007 01:26 PM

1. If no VLAN configured, it will default to a switch's default VLAN. Normally, that is VLAN 1. You can check this by issuing "show interface status"

2. In short, no. Phones and users can coexist on one VLAN, but it is not recommended. Different VLANs means that they have to be routed by different SVIs or Router interfaces. You cannot configure same subnet on two router interfaces or SVIs on one device.

Besides, the point is to segment your broadcast domain (e.g. to separate users from phones) so having two VLANs in one subnet does not make any sense.

This configuration puts hosts that are not IP PHONES into default VLAN (VLAN 1) and all devices that are IP PHONES into VLAN 3.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card