Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2502
Views
0
Helpful
4
Replies

Voice VLAN configuration spanning over access port between two SG300 switches in layer 3 mode.

mattybrownuk
Level 1
Level 1

‎09-22-2015 03:31 AM

Is there some way of preventing the auto voice VLAN on one SG300 switch from propagating its settings to another SG300?

I've got two SG300 switches in layer 3 mode connected to eachother via two Cat 6 cables using a port-channel.  Each end is configured with an IP address in the 192.168.99.0/30 address, ie. 192.168.99.1/30 and 192.168.99.2.  I've configured static routes on each for the VLANs that are on each side of the LAN.  Routing is working as expected.

I've configured the Auto Voice VLAN on each, so VLAN 2 is used on one switch and 12 is used on the other.  The administrative VLAN is showing correctly in the web UI, but the operational status is showing as VLAN 2 on both switches.  How can I prevent the switch that's meant to have VLAN 12 as its Voice VLAN from even knowing about VLAN 2??

I thought it might be CDP that's used to propagate Auto Voice VLAN configuration, but having disabled it on the link, it's made no difference.

 

On a separate note, is right to configure the link between such devices as access ports and address them in this way, or is there a better way of achieving this (without buying two routers)?

Thanks,

Matty.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Dan Miley
Level 3
Level 3

‎09-23-2015 02:03 AM

so the trick is to block the vsdp packets from going across the link.  these are not CDP, LLDP, arp, stp, etc but multicast  bonjour type packets. 

I have had success with setting up an access list on the edge port and filtering the vsdp multicast IPaddress.  I couldn't find the configuration I got working, but so an acl on the uplink port filtering mdns

deny udp  any 224.0.0.251:5353

permit IP any any

 

should block vsdp.   I would put that ACL on both sides of the link.

 

 

 

mDNS  [RFC6762]

this page

http://www.freepatentsonline.com/y2013/0259027.html

says:

VSDP may be implemented as a multicast domain name system service (mDNS service), such as Bonjour. The mDNS service instance may be defined for VSDP as follows: <Instance>=“VSDPxxxxxx” (where xxxxxx is the last 3 bytes of the base MAC address of a VSDP device); <Service>=“_csco-sb-vsdp._udp”; <Domain>=“local.”

VSDP messages may be multicast to mDNS multicast IP address 224.0.0.251. VSDP messages may be encoded in domain name system text resource record (DNS TXT RR) as a list of <FieldName>=<Field Value>. (and so on)

 

 

 

please flag helpful posts,

 

Dan

dlm...

0 Helpful

mattybrownuk
Level 1
Level 1
In response to Dan Miley

‎09-23-2015 02:03 AM

Hi Dan

I saw that the default configuration for the SG300's (at least in router/L3 mode) includes this line:

bonjour interface range vlan 1

I wonder if I turned that off on both L3 switches, that would prevent VSDP from working across our networks?

I've decided that for now, I'm going to have to run the same Voice VLAN across both sites and change my access ports to trunk, but only allow VLANs 2 (voice) and 99 (inter-site link) across the trunk.

In future, am I best off just paying out for a real router or two to prevent such protocols from traversing the link?

Thanks for your help.

Matty.

0 Helpful

Dan Miley
Level 3
Level 3
In response to mattybrownuk

‎09-25-2015 08:11 AM

I was unable to get the bonjour change to change the behavior in my lab.

I think you are right, it is better to have a single voice vlan for your network,  then possibly a layer 3 link between each site.

I'm not really sure what your topology is, you say it's 2 sites, but linked by a 2 port copper gig LAG?  Usually if you're going between sites, there is a router, and possibly  an internet provider.  Is it 2 companies with separate phone systems, campus network, 2 floors in the same building? 

 

I have had customers use the ACL above, and it does block the VSDP across the link.  That may be an option too.

If you are still under phone tech support warranty or contract, give a call in 866-606-1866 (US) to the small business support line,  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

we can review your topology and make some suggestions for what your needs are, security, performance, latency, cost, etc...

 

 

 

Dan

0 Helpful

v.oboukhovitch
Level 1
Level 1
In response to Dan Miley

‎11-26-2018 07:44 AM

Hi Dan,

is a command “voice vlan state disabled” turned off a VSDP protocol on the switch?

0 Helpful
Customers Also Viewed These Support Documents