Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Switch VLAN, Voice/Data Port configuration questions

I have some questions about the following port configuration on the switches:

interface FastEthernet0/9

switchport mode access

switchport voice vlan 3

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos trust device cisco-phone

mls qos trust cos

no mdix auto

spanning-tree portfast

spanning-tree bpduguard enable

1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?

2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?

7 REPLIES

Re: Switch VLAN, Voice/Data Port configuration questions

""1. If the users and phones are configured to get a DHCP address, will the users automatically be put in VLAN 1 because no VLAN is referenced in the "switchport mode access" line?""

Yes. The default access VLAN is 1 and therefore the non-voice hosts will be put in VLAN 1.

""2. Can phones can be in the same subnet and be in a different VLAN(VLAN 3)?""

No. Every VLAN has to have it's own IP subnet as they are separate broadcast domains. As such the phones need to use an IP address from VLAN 3 subnet.

HTH

Sundar

Silver

Re: Switch VLAN, Voice/Data Port configuration questions

Hi Sundar. We answered simultaneously, and gave the same answer :)

New Member

Re: Switch VLAN, Voice/Data Port configuration questions

Thanks for the reply.

All braches are configured the same.

When I do a "sh vlan" I see the different ports showing up in the differnet VLANs, but the IP Addresses are all in the same subnet for that branch.

Re: Switch VLAN, Voice/Data Port configuration questions

If a host connected to vlan 3 is using an address from vlan 1's IP scope then that user on vlan 3 wouldn't be able to talk to hosts outside of vlan 3. Are those hosts able to talk to hosts on other VLANs?

Let's say you have the following setup then the host connected to vlan 1 would use an address starting with 192.168.1.x and the vlan 3 host would use an address from 192.168.3.x subnet for inter-vlan routing to work. The default gateway for those hosts would be the router/L3 switch's respective interface address.

int f0/1

vlan 1

int f0/3

vlan 3

int vlan 1

ip add 192.168.1.1 255.255.255.0

int vlan 3

ip add 192.168.3.1 255.255.255.0

HTH

Sundar

New Member

Re: Switch VLAN, Voice/Data Port configuration questions

Sorry, but I am a doofus,

The router is configured with subinterfaes and the switch is trunking VLANs 1,2 and 3.

I didn't see that before, you are completely correct as always.

But this brings up a questions about VLANs in general:

Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.

Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?

No physical isolation but layer 2 VLAN and no inter VLAN routing.

Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches?

Thanks.

Re: Switch VLAN, Voice/Data Port configuration questions

Wilson,

Good questions.

See the responses inline.

""Is is considered an ok practice to have one switch located in the DMZ say, and on the switchbe running only layer 2 VLANs.""

That's perfectly OK.

""Would it be considered ok from a security perspective to have DMZ, outside and inside networks on the same switch as long as they are seperated by VLANs?""

Actually this isn't a recommended security design as it can potentially expose the more trusted side to attacks from the less trusted side. A good security design should have physical separation of networks according to the trust level.

""No physical isolation but layer 2 VLAN and no inter VLAN routing.""

If there's no physical isolation then this setup is at the least recommended.

""Is that acceptable, or better to isolate the DMZ from outside and inside with seperate switches? ""

As stated above if possible then physical separation is a better security design.

HTH

Sundar

Silver

Re: Switch VLAN, Voice/Data Port configuration questions

1. If no VLAN configured, it will default to a switch's default VLAN. Normally, that is VLAN 1. You can check this by issuing "show interface status"

2. In short, no. Phones and users can coexist on one VLAN, but it is not recommended. Different VLANs means that they have to be routed by different SVIs or Router interfaces. You cannot configure same subnet on two router interfaces or SVIs on one device.

Besides, the point is to segment your broadcast domain (e.g. to separate users from phones) so having two VLANs in one subnet does not make any sense.

This configuration puts hosts that are not IP PHONES into default VLAN (VLAN 1) and all devices that are IP PHONES into VLAN 3.

342
Views
20
Helpful
7
Replies