voice vlan access mode / native vlan trunk mode issue

Answered Question

Hello,

I'm having trouble splitting voip traffic from the data traffic.  I am using a 5505 asa and 3560 switches

ASA 5505 > catalyst 3560 > IP phone > laptop

on the ASA 5505

------------------------

I configured 4 Vlan's

1 for management

1 for outside

interface Vlan200 (data)
nameif Inside
security-level 100
ip address 10.0.31.15 255.255.255.0
!
interface Vlan400 (voice)
nameif VOIP
security-level 100
ip address 10.20.31.15 255.255.255.0

I configured one trunk port on a non-POE port 0/2

interface Ethernet0/2
description Trunk port to SW1
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk

On the 3560 switch

I configured one trunk on a POE port that connects to the ASA 5505

switchport trunk encapsulation dot1q
switchport trunk native vlan 200
switchport trunk allowed vlan 200,400
switchport mode trunk

I configured another POE port where I m connecting the IP phone (Cisco 7940 or Polycom soundpoint 501)

description Trunk port IPTEL_DATA
switchport access vlan 200
switchport mode access
switchport voice vlan 400

When connecting the IP phone to that port and connecting a laptop on the phone's switch port, the phone and PC get the correct Vlan and IP assigned but I'm not able to register the phone with our provider.

When connecting the IP phone directly on a different port on the ASA 5505 (default vlan 1) The phone immediately gets the config file and registers.

Did I trunk correctly using trunk mode for the asa 5505 to catalyst3560 and access mode for the catalyst3560 to ip-phone?

Any help is more than welcome

martin

I have this problem too.
0 votes
Correct Answer by omar.elmohri about 6 years 2 months ago

OK.

I think that it's not a switch problem.

Let's back to the ASA:

As you mentioned, when you connect the IP phone to a default ASA port (Vlan 1) if works without problem.

And now you're connecting it on a Vlan400 port.

Can you please provide the related configuration for the Vlan 1 also. (or provide the complete config omitting the public IPs and keys)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Paluch Wed, 09/15/2010 - 03:24

Martin,

First, is the Polycom IP Phone configured manually to use the VLAN 400 and perform 802.1Q VLAN tagging? The Cisco IP phones get their Voice VLAN ID via CDP but I doubt that the Polycom supports CDP, so most probably, it has to be configured for the VLAN 400 manually.

Second, do not change the native VLAN on the trunks to 200. Leave the VLAN 1 as the native VLAN. Make sure that both the VLAN 200 and VLAN 400 are tagged on all trunks between your switches and between a switch and the ASA box. The native VLAN is a different concept that should not be confused here with the data VLAN and frankly, it should not be used for any user traffic (data or voice) at all.

Can you perform these verifications and modifications?

Best regards,

Peter

omar.elmohri Wed, 09/15/2010 - 03:32

You said that the phone is getting an IP address. Is it true? is it a correct IP from the vlan 400 pool?

If it's the case.. than Vlan 400 for the access side is working and still to focus on the ASA-Switch side.

Also, where the DHCP server is located?

@omar     - yes the vlan's are up on the switch
                - Yes the phone get's the correct vlan and IP (cisco and polycom) and if i plug in a pc on the phone's switch port it get's the correct vlan and IP.
                - the DHCP is located on the ASA

  - Let's focus on the cisco then, but polycom supports CDP (both get correct vlan and IP when connecting on the switch ports)
- vlan1 is the default vlan which for the moment is configured on all remaining ports
- I chose 200 as my native vlan on the trunk, vlan1 isn't trunked from the asa to the catalyst switch

@peter

SW1#show interface trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      200

Port        Vlans allowed on trunk
Gi0/1       200,400

Port        Vlans allowed and active in management domain
Gi0/1       200,400

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       200,400

no such command on firewall

this is output for show switch vlan

FW1(config-if)# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    Management                       up        Et0/1, Et0/4, Et0/5, Et0/6
                                                Et0/7
100  Outside                          up        Et0/0
200  Inside                           up        Et0/2, Et0/3
300  DMZ                              down
400  VOIP                             up        Et0/2, Et0/3

do you need output of show interfaces?

Correct Answer
omar.elmohri Wed, 09/15/2010 - 04:11

OK.

I think that it's not a switch problem.

Let's back to the ASA:

As you mentioned, when you connect the IP phone to a default ASA port (Vlan 1) if works without problem.

And now you're connecting it on a Vlan400 port.

Can you please provide the related configuration for the Vlan 1 also. (or provide the complete config omitting the public IPs and keys)

: Saved
: Written by enable_15 at 01:29:53.977 UTC Wed Sep 15 2010
!
ASA Version 8.2(2)
!
hostname FW1
domain-name domain.local
enable password r2.d52YOdvbTM6/l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan100
nameif Outside
security-level 0
ip address 10.10.10.1 255.255.255.240
!
interface Vlan200
nameif Inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface Vlan300
nameif DMZ
security-level 50
ip address 30.30.30.1 255.255.255.0
!
interface Vlan400
nameif VOIP
security-level 100
ip address 40.40.40.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 100
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
description Trunk port to SW1
switchport access vlan 400
switchport trunk allowed vlan 200,400
switchport trunk native vlan 200
switchport mode trunk
!
interface Ethernet0/3 = (testing with this interface right now)
description Trunk port to SW4
switchport trunk allowed vlan 200,400
switchport mode trunk
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list acl_out_in extended permit tcp any interface Outside eq www

access-list acl_out_in extended permit tcp any interface Outside eq 5000

access-list no_nat extended permit ip 200.200.200.0 255.255.255.0 50.50.50.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Management 1500
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu VOIP 1500
ip local pool SSLClientPool 50.50.50.50-50.50.50.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Management) 1 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list no_nat
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface www 10.0.31.22 www netmask 255.255.255.255
static (Inside,Outside) tcp interface 5000 10.0.31.97 5000 netmask 255.255.255.255
access-group acl_out_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 87.236.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn vpnfgdn.dns.com
subject-name CN=vpnfqdn.dns.com
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 2097644c
    308201fb 30820164 a0030201 02020420 97644c30 0d06092a 864886f7 0d010105
    05003042 311c301a 06035504 03131376 706e6272 6564612e 69746573 736f2e6e
    69746573 736f2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
    30818902 818100c0 7c562d66 47588291 2ddca190 2e8f52b3 7f50c7f1 5945d606
    9ff63a2e 432d0602 162710c8 818d152d e2467645 96e7da33 8b39bacf f01e42ad
    44ae2f2a 6bd6a9ab 024d47b6 273e720b 7263b0e9 8f24bf80 515e268e eace994e
    d882ea36 fe8893d2 44d5cdb1 15f298b4 c26d5eff 6839ed68 6a13f453 fe35635e
    c67ae205 da3ae502 03010001 300d0609 2a864886 f70d0101 05050003 81810068
    bfae1b4d c1850c56 5826edfb ff86e504 e5e4be95 10f9e674 a3c7997e 96db735a
    864176af 04fdae5d 4f401a32 dcadb213 857fda06 9a8764f1 1fcf0a31 76c6af20
    9cd09e68 63e6efb9 61098b81 60d72f2d 9b71b127 5282cd9f 234d49d7 d29bd56e
    d2b83698 bfb97cd7 a259593f f79b9694 7cce9fef c5fd79e0 4d89ae23 0e4c94
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config Outside
!
dhcpd address 192.168.1.2-192.168.1.254 Management
dhcpd dns 1.2.3.4 5.6.7.8 interface Management
dhcpd enable Management
!
dhcpd address 20.20.20.50-20.20.20.200 Inside
dhcpd dns 20.20.20.9 20.20.20.10 interface Inside
dhcpd domain domain.local interface Inside
dhcpd enable Inside
!
dhcpd address 30.30.30.50-30.30.30.200 DMZ
dhcpd enable DMZ
!
dhcpd address 40.40.40.50-40.40.40.200 VOIP
dhcpd dns 40.1.2.3 40.4.5.7 interface VOIP
dhcpd enable VOIP
!

priority-queue Outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust Outside
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 10.0.31.9
vpn-tunnel-protocol svc
default-domain value htcp.local
address-pools value SSLClientPool
username user1 TEkjf52Nn3sTy/S9 encrypted
username user1 attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9ff3725cc876e650c4dd8706b71db402

Actions

This Discussion