vlan consolidation & Cleanup, Voice & Data on same port

[Shifu]

Hey folks,

New to this board. I did do a bit of searching, read through this article (

http://www.tek-tips.com/viewthread.cfm?qid=1656061

which VinceWhirlewind had some good insight). I am new to the HP world (Mostly light Ciscoing) so my questions may sound incorrect. Also, I inherited this setup, not my doing originally.

So, I know that you can do both data and voice on the same ethernet port. But this network was not set up that way. I have Cisco 7941's and 7906G's for phones. Data is currently on separate ports.

Now, currently, I have a Procurve 2610-48-PWR switch as the main switch configured with 3 vlans. Data, Voice, Wireless. The wireless contains 2 motorola controllers controlling about 20 AP's (inheritied as well, that's something else I'll have to ramp up on to learn). There are four other switches daisy chained via fiber off of port 52. Here's an overview, and then the relavant part of the config of this primary switch.

01-24 - Data
25-42 - Voice
43-48 - Wireless
49-51 - Not in use
52 Fiber to downstream 2610-24-PWR switch


And the actual config is as follows:

ip default-gateway 10.2.96.1
ip routing
vlan 1
name "data"
forbid 25-48
untagged 1-24
ip address 10.2.96.10 255.255.255.0
tagged 49-52
no untagged 25-48
exit
vlan 2
name "voice"
forbid 1-24,43-48
untagged 25-42
ip address 10.2.97.10 255.255.255.0
tagged 49-52
voice
exit
vlan 3
name "wireless"
untagged 43-48
ip address 10.2.98.10 255.255.255.0
tagged 49-52
exit
ip route 0.0.0.0 0.0.0.0 10.2.98.1


What I think I want to see is the following:

vlan 1
name "data"
untagged 1-48
ip address 192.168.6.1 255.255.255.0
qos priority 0
exit
vlan 2
name "voice"
ip address 192.168.7.1 255.255.255.0
qos priority 6
tagged 1-48
voice
exit
lldp enable-notification 1-48

Now, I am not sure what I need to do to the downstream switches (Configs are similar to the above) if I need to sort of mimic the above modified config. Port 52 specifically on this main switch is what daisy-chains to the four (4) other switches below.

Also, there are uplinks to each of these vlans going to the router. Port 1, 25, and 45 go to individual ports on the existing router (Juniper SSG20, which I am replacing as well). I just want/need only one port/uplink defined. That may require a fourth vlan I am thinking.

Finally, I included into the config, there are three statements dealing with routing (IP Default-gateway, ip routing, ip route)

Anyone able to give me a bit of direction if I am going the correct way on this?

Thanks in advance...

 

[VinceWhirlwind]

Looks good.

For the uplink to the other switch, you need to keep the VLAN1 & VLAN2 tagged 49-52. This allows those VLANs to connect to the uplinked switch.
Then, those switches are setup the same: EDGE switchports have VLAN1 untagged/VLAN2 tagged. UPLINK switchports have both VLANs tagged.

Then there is the router. What you have yet to grasp is the routing aspect of this network: you have three switched (Layer2) networks:
DATA on switchports 1-24
Voice on switchports 25-42
Wireless on switchports 43-48
All devices on these networks communicate using frames. Frames are addressed using MAC addresses. A device finds out the destination MAC address by sending out a broadcast asking "who owns IP address n". The owner of that IP address responds to the broadcast providing its MAC address. The two devices then send traffic to each other using each other's MAC address.
Meanwhile, the switch is reading the source MAC address of every frame it sees and keeps a table matching each MAC address with the switchport it was seen to come from. This table is what it uses to pass on the frames the switch has received.

So what happens when a device in VLAN1 tries to find a device in VLAN2? It doesn't even send out a broadcast asking "who has IP address n", because it recognises straightaway from its own IP address and subnet mask that the destination it is seeking is "off-net". Therefore it sends its traffic using as destination MAC address the MAC address of the IP address it has configured as "default GW".
The "default GW" is the router. The router knows where the different sunets are and can pass traffic between them. The router is the *only* way you can connect your VLANs.
This is why each of your VLANs has a connection to your router.

Because your switch is a layer2 switch, you will need to keep a connection from it, from each of its VLANs, to the router.

There is a different way to physically connect them: you can use a port like your switchport 52 - a port with all VLANs on it. You will need to configure your router to do the same. On a router this is normally done with subinterfaces if it supports them. (Search for subinterfaces + 802.1q trunking for examples and details.)

 

[Shifu]

Thanks for the post back VinceWhirlwind.

So, if I am adding back in 49-52 as tagged on each vlan so it can propagate out, then I would change the Voice VLAN to untagged (like in the example below), or would I just have tagged 1-52 instead?

ip default-gateway 192.168.6.254
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.6.254 (or would this be 192.168.7.254?)
vlan 1
name "data"
untagged 1-48
ip address 192.168.6.1 255.255.255.0
tagged 49-52
qos priority 0
exit
vlan 2
name "voice"
ip address 192.168.7.1 255.255.255.0
qos priority 6
untagged 1-48
tagged 49-52
voice
exit
lldp enable-notification 1-48


On my new Router/firewall (Watchguard XTM 21)
I have several options. There are 5 useable ethernet ports (the 6th port is for WAN). There is also support for VLANs, as well as Secondary networks on the same interface.

If I am wishing to keep this simple, would I A) use multiple ethernet ports for multiple uplinks, B) create a secondary network on the one interface (my most probable choice, then use like port 1 as the uplink to the router), or C) implement VLANs on the interface?

Thanks again...

 

[Shifu]

From re-reading through what I wrote, and reading a few other docs, I cannot have two ports untagged at the same time. So, with that in mind, the config would look like this:

ip default-gateway 192.168.6.1
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.6.1 (or would this be 192.168.7.254?)
vlan 1
name "data"
untagged 1-48
ip address 192.168.6.2 255.255.255.0
tagged 49-52
qos priority 0
exit
vlan 2
name "voice"
ip address 192.168.7.2 255.255.255.0
qos priority 6
tagged 1-52
voice
exit
lldp enable-notification 1-48

 

[VinceWhirlwind]

A) is usually used when a router doesn't support VLANs.
B) sounds nasty, if it means what I think it means: multiple subnets on one VLAN? No way!
C) Yes - Your uplink port to the firewall has all VLANs tagged. Your firewall port on the other end of this link has all VLANs tagged on it. Job done.
The firewall will need the router address (default GW) from each VLAN/subnet configured on it as the IP address on that VLAN's VLAN interface.

Your final config looks good, EXCEPT, why do you have two VLAN interfaces on your switch with IP addresses on them?
I can't remember how a 2610 works, but normally, having more than one interface on a switch implies the switch is actually doing Layer3/routing.
I think you don't want that in this case.
The switch needs an IP address so you can telnet/ssh/http/https/ftp to it and ping it. That's all the switch IP address is used for - management and nothing else. So you don't need two of them.

 

[Shifu]

Ok, router (Watchguard Firewall) supports vlans, I'm just diving into new territory here, so this will take me a bit of time to figure out. I got two vlans defined on the port (just like the switch config above). I re-defined my VPN tunnel on both sides, Corporate and remote site (It's good to have a test network, I'm telling ya)

I configured two DHCP scopes on my Domain controller back at corporate, 192.168.7.x for Voice (added option 150 that Cisco always wants, or so I thought) and 192.168.8.x for the data (no Option 150 defined, and I went with 192.168.8.x because 192.168.6.x got used for the "management" lan address)

As for when I mentioned option B, that is where the interface can have a multiple IP blocks assigned to it. does not involve VLANs.

The main reason I assigned IP addresses to each vlan was lack of knowledge. Actually, if I wish to ping a device hanging off of the switch, it has to ahve an IP address assigned to it, so I thought I read.?.

Now, I started with plugging in a Cisco phone direct to teh port, rather than through a switch to the port. The phone, which has been previously configured on my internal network, booted up, and ended up grabbing an IP off of the data network. I'm missing something here, just not sure what... It may be because the HTTP Locale (under settings) has the Call Manager defined, but I'm just not sure.

This thread is stepping out of the HP switch and into more of a general network thread, sorry about that. I'll touch more on the switch as I get this Cisco thing figured out.

Thanks again for all the info & ideas.

 

[Shifu]

Ok, just another update before I head to the house for the day.

I went back into the firewall (Router), changed what I want to be the "Voice" VLAN to UNtagged, and the data to tagged. Now when the phone boots, it grabs a Voice VLAN IP address, 192.168.7.101 (instead of the data one).

I plugged in a laptop to the Data port on the phone, no joy. Got a Voice IP address as well, 192.168.7.102

Ugh, maybe I'm going to need to go dig through my Cisco Docs on Call Manager, see if there is something I am missing.

 

[Shifu]

So I added the switch into the mix this morning. I'm using a 24 port (Procurve 2810) and am only using a small subset of the switch for testing. Ports 13 through 20 specifically. For now, lets just ignore everything else.

vlan 1
name "data"
no ip address
tagged 13-20
qos priority 0
exit
vlan 2
name "voice"
untagged 13-19
ip address 192.168.7.2 255.255.255.0
qos priority 6
tagged 20
voice
exit
lldp enable-notification 13-20

The phone is picking up a DHCP address based upon which vlan is considered "Untagged". If I set vlan 1 as tagged, and vlan 2 as untagged, I get a vlan 2 address. Reverse this (vlan 1 as untagged, and vlan 2 as tagged) and I get vlan 1 address.

Further, the same passes through for the "switch ports" on the Cisco phone.

So how is one suppose to get the voice and data separated?

 

[VinceWhirlwind]

OK, all that's normal when you're figuring out VLANs. You're doing a great job.

Let's get clear on a couple of terms:
SUBNET = VLAN. Each VLAN has one subnet associated with it, and each subnet is associated with one VLAN.
TRUNK. Whenever you are using 802.1q VLAN tagging, you are creating a "trunk". (Not to be confused with other uses of this word, eg, port aggregation is also called a trunk. Completely different thing).

Think of the connection between FW & SW as a pipe, Inside that pipe carries two bits of string. To know which bit of string is which, you have to tag it the same at both ends. You *can* have one(1) untagged bit of string, but no more. Or you can tag them all.

This is a TRUNK.

Sounds to me like your firewall wants/expects a trunk to have an untagged VLAN. Fine.
On the FW, your trunk includes VLAN1 untagged, VLAN2 tagged.
On the switchport this FW interface connects to, you have to have VLAN1 untagged and VLAN2 tagged.

This is a working trunk. You've proven that by successful DHCP over it.

When you change the FW interface to VLAN2 "untagged", you're not changing the SW interface to VLAN2 "untagged", so the "untagged" frames, which come from VLAN2 on the FW are then being accepted on the SW into VLAN1 because it is configured to put them there. This is called bridging VLANs. It's good to know it *can* be done, but it is very unlikely you will ever be in a situation where it should be.

Anyway, the phones are a different issue.
Think of the phone as a switch: it connects to the network, picks up VLAN1 untagged to pass on to its connected PC, and also picks up VLAN2 tagged to use for its own voice traffic.

>>> ***** How does it know the tag ID (in this case "2") it should be using?

Answer: it doesn't. You have to explicitly tell it: "Use '2' for tagged voice traffic".

There are various ways to tell it this: vendor-specific DHCP option, LLDP, or, in the case of cisco phones, CDP.

I've never done Cisco phone/HP switch, but check the manual for how to do VoIP - you might be able to use CDP: enable CDP globally on the switch, then put "Voice vlan 2" (or whatever the correct config is) on the switchport you want the phone in.

 

[cajuntank]

Vince has been giving you some good advice, so my only add to this is:

http://h17007.www1.hp.com/docs/interoperability/Cisco/4AA2-2301EEE.pdf

 

[Shifu]

Thanks Vince, thanks Cajun. Yea, that document I came across a while back.

I think my problem is partly stemming from the cisco phone will not pick up the DHCP address associated withthe voice network. LLDP-MED is enabled on the phone, and I have obviously designated the "voice" parameter on the vlan I wish it to be associated with, just that the phone doesn't seem to care about that.

I have Voice vlan tagged, following the suggestions above, but the phone just doesn't play nice.

Thanks again guys...

 

[cajuntank]

So if you have the Voice VLAN tagged and Data VLAN untagged, what about the firmware on the Cisco phone itself? I know on some of the older code, there was a LLDP issue that was resolved with newer code.

 

[Shifu]

SCCP 8-5-2-SR15

I think I read somewhere that version 8.3 or better was needed.

 

[cajuntank]

Ok, your good with the phone's firmware...make sure your switch's firmware is R11.07 or above as per the HP article. I don't think you are finished though with your LLDP configuration as per the article I supplied. Specifying the "voice" statement under the VLAN interface section just turns LLDP-MED on, now you have to configure LLDP-MED with the other statements:

(conf)# lldp run
(conf)# lldp config <port> medTlvEnable network_policy
(conf)# lldp config <port> medTlvEnable capabilities

I am thinking you are missing this step so the phones can properly identify the VLAN ID for voice so it can switch to that VLAN. If this works, don't forget about following the rest of the article concerning QoS as well. Try this first, but if that still is giving you issues...

What happens when you manually specify the voice VLAN on the Cisco Phone?

To specify a voice VLAN on a Cisco IP phone simply edit the Administrative VLAN id to the tagged vlan. For instance, on a Cisco 7941: Settings, Network Configuration, Admin. VLAN id (Option 21). The press * * # to unlock the settings. Enter the tagged (voice) VLAN id, Validate, Save, Exit. The phone will then reset.

If this works, then its still a LLDP configuration issue as the phones should be picking up the voice VLAN tag from LLDP. You can also specify this VLAN ID as a DHCP option from your DHCP server (check your phone documents for those settings if it comes down to that, but I feel following the article fully will solve your issue).

Hope I could help.

 

[Shifu]

So, the firmware for each of my test switches are at the latest that HP provides. There are two switches I have been playing with:

2824 (j4903a) - i.10.77 released 08/26/09

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J4903A

2810 (j9021a) - n.11.52 released 09/21/11

https://h10145.www1.hp.com/downloads/SoftwareReleases.aspx?ProductNumber=J9021A

The live switch is a Procurve 2610-48-PWR (j9089a) and has R.11.72 firmware. The main problem I have there is it is a LIVE switch. In the mean time, I have ordered a 2620-48-PWR to play with. Probably be here in a few days.

bringing that up to speed, on these particular switches (NON POE), the medTlvEnable parameter is not a valid parameter to use. When issuing the command

(conf)# lldp config <port> ?
basicTlvEnable
ipAddrTable

Those are the only parameters available to choose.

If we go with the following:
(conf)# lldp config <port> basicTlvEnable ?
port_descr
system_name
system_descr
system_cap

Those are the only options available. I'm not sure, but MedTlvEnable is only in reference to POE stuff.

Currently now I have the phone on the voice vlan. probably not the correct way to configure it, but it works. Here is an overview (don't get thrown, vlan numbers have been updated from earlier posts):

Vlan 36 Voice - 1-20 untagged, 24 tagged (that's the uplink)
Vlan 20 Data - tagged 24, that's it.

On the firewall
vlan 36 - tagged
vlan 20 - untagged

The phone gets a voice vlan IP. Data port on the voice phone gets a voice vlan IP (ugh).

now, I can tag or leave it at "no" on vlan 20, makes no difference to the switch ports on the cisco phone. Which ever vlan is "untagged" will get that IP address range.

I have not tried the admin vlan solution yet as it would require me to "touch" all the phones that would go to a remote site, not pretty.

 

[VinceWhirlwind]

Manually configuring a phone isn't a solution, it's a test. As Cajun says, if you manually configure a phone for VLAN36 tagged and it works fine on a VLAN36 tagged switchport, then that tells you your only problem is getting the LLDP to work.

If you want to try a different tack - is there a DHCP option you can use to tell a Cisco phone that the Voice VLan is 36?
Before LLDP, I always used the DHCP option (for all sorts of different vendors) and it worked fine.
The phone boots up: all it knows about is the untagged VLAN, it gets an IP address in VLAN20, the DHCP offer comes with an Option nnn which says "VOice VLAN 36 Tagged" (in whatever format works for that particular phone vendor), then the phone switches to that VLAN and sends a new DHCP request.

 

[Shifu]

I've got a brand new HP Procurve 2620 POE switch showing up today. Once I get that in, we will know a few new things. 1) Does this LLDP-MED stuff only work with a POE switch 2) will a new switch (NON POE) work? I have a 2 new 2910al's in for a different project. Since it would have the latest code, but not be POE, this will let us know if that has the ultimate bearing on this.

Anyhow, stay tooned, we'll see how this turns out

 

[cajuntank]

All of the ports that phones plug into should be tagged in the voice VLAN, not just your uplink port.

 

[Shifu]

ok, got the new switch, fresh clean config. Loaded up the following:

ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 49-52
ip address dhcp-bootp
no untagged 1-48
exit
vlan 36
name "Voice"
untagged 1-48
qos priority 7
ip address 192.168.7.2 255.255.255.0
tagged 50
voice
exit
vlan 22
name "Data"
tagged 1-48,50
no ip address
exit
lldp enable-notification 1-48
power-over-ethernet pre-std-detect
no telnet-server
no web-management
web-management ssl
ip route 0.0.0.0 0.0.0.0 192.168.7.1
snmp-server community "public" unrestricted
snmp-server contact "IT Department"
no dhcp config-file-update
password manager

I did do the above mentioned commands MedTlvEnable <stuff>

On the firewall, the each defined vlan I "tagged". Not completely sure there.

The phone is currently getting a Voice vlan IP... GOOD
The laptop (connected to the phoen switch) is getting a Voice vlan IP, not so good.

If you guys have another idea, like scrap the config and start over, I'm all ears.

Thanks,

James

 

[Shifu]

Ok, I finally got it to work. Perseverance paid off.

Here is the final config for documentation purposes of others that struggled like me. No, I do not know what the final steps that made it work, part of it was reconfiguring my firewall (Watchguard XTM 22).

hostname "LAR1-CORE"
mac-age-time 1800
time timezone -360
time daylight-time-rule Continental-US-and-Canada
qos dscp-map 011000 priority 7
no stack
interface 1-48
poe-lldp-detect enabled
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 49-52
ip address dhcp-bootp
no untagged 1-48
exit
vlan 36
name "Voice"
qos priority 7
ip helper-address 10.2.34.10
ip address 192.168.7.2 255.255.255.0
tagged 1-52
voice
exit
vlan 26
name "Data"
untagged 1-48
ip helper-address 10.2.34.10
ip address 192.168.6.2 255.255.255.0
tagged 49-52
exit
lldp enable-notification 1-48
banner motd "\n ******************************************\n * WARNING - PRIVATE ELECTRONIC DEVICE\n * Authorized personnel only\n * Unauthorized access prohibited\n ******************************
************\n\n"
power-over-ethernet pre-std-detect
timesync sntp
sntp unicast
no telnet-server
no web-management
web-management ssl
ip route 0.0.0.0 0.0.0.0 192.168.7.1
snmp-server community "public" unrestricted
snmp-server contact "IT Department"
no dhcp config-file-update
password manager
password operator

On the firewall:

INT 0 - External Interface to T1
INT 1 - VLAN (VLans 26 & 36 defined and tagged)
INT 2 - 5 not used.

At some point to make this whole QOS thing complete, I'll need to enable that over the tunnel, and have it enabled at the corporate firewall. For now, this gets my remote site up and going to where I can deploy the equipment.

Thanks Vance & Cajun for sticking it out with me

James