Voice Vlan Access Map Question

Unanswered Question
Apr 28th, 2009
User Badges:

Hi:


I have a switch that has a data vlan configured and a voice vlan.


data vlan is 341

voice vlan is 546


Here is the config:


==================================================================================


vlan 546

name Avaya_Phone_vlan546


vlan 341

name data_vlan


vlan access-map VOICE 10

action forward

match ip address Avaya_Phones

vlan access-map VOICE 20

action forward

match ip address NETWORK_SERVICES


vlan filter VOICE vlan-list 546


vlan 546

name Avaya_Phone_vlan546


ip access-list extended Avaya_Phones

remark ACL for Avaya traffic

permit udp any range 10000 14001 any range 10000 14001

permit tcp any range 1024 65535 any range 61440 61444

permit udp any range 10000 14001 any eq 5005

permit udp any range 1024 65535 any eq 1719

permit udp any eq 1719 any range 1024 65535

permit tcp any range 1024 65525 any range 1719 1720

permit tcp any range 1719 1720 any range 1024 65525

permit udp any eq 68 any eq 67

permit udp any range 1024 5000 any eq 53

permit tcp any range 1024 5000 any eq 411

permit tcp any range 1024 5000 any eq 80

permit tcp any range 1024 5000 any eq 443

permit tcp any any eq 80

permit tcp any any eq 81

permit udp any any eq 161

permit udp any range 1024 5000 any eq 514

permit tcp any range 1024 5000 any eq 50002

permit udp any any eq 50000

permit udp any any eq 69

permit icmp any any


ip access-list extended NETWORK_SERVICES

remark PIM/HSRP/DHCP

permit pim any any

permit tcp any 10.76.160.0 0.0.31.255 eq 22

permit tcp any 10.76.192.0 0.0.31.255 eq 22

permit tcp any 10.76.160.0 0.0.31.255 eq 21874

permit tcp any 10.76.192.0 0.0.31.255 eq 21874

permit tcp 10.76.160.0 0.0.31.255 eq 22 any

permit tcp 10.76.192.0 0.0.31.255 eq 22 any

permit tcp 10.76.160.0 0.0.31.255 eq 21874 any

permit tcp 10.76.192.0 0.0.31.255 eq 21874 any

permit tcp host 10.76.171.1 any eq smtp

permit tcp host 10.76.179.1 any eq smtp

permit tcp host 10.76.171.1 any eq domain

permit tcp host 10.76.179.1 any eq domain

permit udp host 10.76.179.1 any range 1024 65525

permit udp host 10.76.171.1 any range 1024 65525

permit udp any range 1024 65525 host 10.76.179.1

permit udp any range 1024 65525 host 10.76.171.1

permit udp any eq 1985 any eq 1985

permit udp any eq bootps any eq bootpc

permit udp any eq bootps any eq bootps

permit udp any eq domain any

permit tcp any eq www any

permit icmp any 10.76.160.0 0.0.31.255 echo

permit icmp any 10.76.160.0 0.0.31.255 echo-reply

permit icmp any 10.76.192.0 0.0.31.255 echo

permit icmp any 10.76.192.0 0.0.31.255 echo-reply

permit icmp 10.76.160.0 0.0.31.255 any echo

permit icmp 10.76.160.0 0.0.31.255 any echo-reply

permit icmp 10.76.192.0 0.0.31.255 any echo

permit icmp 10.76.192.0 0.0.31.255 any echo-reply

permit icmp any any ttl-exceeded

deny ip any any log


interface vlan546

ip address 10.76.185.251 255.255.254.0

ip helper-address 10.76.171.1

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

service-policy input user-marking

no shut

!

==================================================================================


What I dont understand is that the vlan filter (vlan access map) is applied to the Avaya phone vlan, yet the traffic its filtering is the kind of traffic that would be generated by a PC, not a phone, like http or https. Why is that?


The PC would indeed be connected to the phone and the phone to the switch. The PC would be on the data vlan and the phone on the voice, of course. So, shouldnt the vlan access map be applied to the data vlan?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 04/28/2009 - 04:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if you are using phone not cisco

the voice vlan will not be used by the phone

this voice vlan wil be negotiated with IP phone using CDP only cisco IP support CDP

becasefull with this !!!

ex-engineer Tue, 04/28/2009 - 05:34
User Badges:

Marwan:


Thats a good point. I did think of that, actually. I will address that with them.


In this case, they would have to configure a dot1q trunk and allow the data and voice vlan, right?


Also, what do you think of my original question regarding the vlan access map?



Marwan ALshawi Tue, 04/28/2009 - 14:33
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

acutlly vlan access map

also known as vlan ACL VACL

it works like ACL

but it helps u to filter traffic within ur vlan

let say u want to block traffoc between tow hosts within the same vlan VACL will do it for you


HTH

Actions

This Discussion