Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[millbull]

Hi everybody,
I can't figure out how to make my configuration work. I'm using Ip phones (Aastra) on port 1-7, with PCs behind the phones, and port 8 linked to a Sophos Firewall (providing dhcp for phones and PCs).
Here's my config:
VID 1 default  ports 1-8 untagged
PVID 1 for ports 1-8
voice vlan enabled (VID 50, priority highest, user defined OUI (00-08-5D-00-00-00 Aastra)
voice vlan port settings: ports 1-8   auto-detection enabled /untagged

all the PCs get their ip from dhcp and can access Internet, but the phones don't.
In the vlan list, the phones are detected and set in vlan 50, but port #8 (linked to the dhcp) isn't in vlan 50 but only in VID1, and I can't put it manually.
I've missed something... In my mind, PC's data is carried in one vlan (in my conf, VID1) and Phone traffic in another Vlan (VID50) and both traffics should go thru port #8 untagged, am I wrong ? How can I set port 8 to be in both vlan ? I'm stuck there, so any help would be greatly appreciated!  thanks.

[PacketTracer]

Hi,

I assume that since your Sophos Firewall has no Aastra OUI and does not behave like an Aastra IP phone you can't use the same configuration for port #8 as for the other ports 1-7.

If true, you would have to configure Port #8 within 'IEEE 802.1Q VLAN Configuration', after having added VLAN 50 via 'Add VID', to be used for VLAN 1 (untagged) and  VLAN 50 (tagged) instead.

But this means, your Sophos Firewall must be VLAN aware and be able to configure 2 logical interfaces sharing the same physical interface that connects to port #8 of your switch, one logical interface sending and receiving untagged frames (mapped to VLAN 1 for PC data) and the other one sending and receiving frames tagged VLAN 50 (for voice data).

If your Sophos Firewall does not provide such feature, you can use only switch ports 1-6 for IP phone/PC connections and use ports #7 (configured for VLAN 1 untagged) and port #8 (configured for VLAN 50 untagged) to connect to 2 physical ports of your Sophos Firewall, the first one handling PC data and the second one handling voice data respectively.

PT

[millbull]

Hi,
It seems possible to create Vlan interfaces in the Sophos. I'm gonna make a try. Thanks for your help.

[millbull]

Hi, it works fine    The Sophos can't run tagged and untagged frames in the same interface, so I've configured the NIC to handle voice vlan 50 and data vlan 10, with DHCP for each network. Port #8 is member of vlan 50 et 10 (tagged). Ports 1-7 are in Vlan 10 untagged and dynamically with autodetection in VLAN50, untagged.
I've set ports 1-7 PVID to 10. Is it necessary ?

My network is composed of  7 PC,  6 IP phones and 4 Ip cams. According to your experience, is it really usefull to deal with Vlans, or running everybody in Vlan 1 would make no difference ?

Thanks again for your help.

[PacketTracer]

Hello again,

I've set ports 1-7 PVID to 10. Is it necessary ?

Being more familiar with Cisco switches and never having configured a D-Link switch, I don't know how a D-Link switch reacts if you configure PVID x and an untagged VID y for the same port, where x and y are different. In theory there can only be one untagged VID per port, hence only x=y should be possible, and the switch should refuse any trial to configure x<>y for any port.

On the other hand within "VLAN > 802.1Q VLAN PVID" you can't circumvent to set some PVID per port, hence setting PVID=10 for ports 1-7 is at least consistent with setting ports 1-7 to untagged for VID 10 within "VLAN > 802.1Q VLAN" and obeys to the "x=y" rule discussed above.

Since you configured VIDs 10 and 50 both tagged and no additional untagged VID for port 8 within "VLAN > 802.1Q VLAN", in principle you could configure a PVID x other than 10 or 50 for port 8 (e.g. PVID=1), but this would not make much sense, since VID x is not available on any other switch port. A setting of PVID=10 for port 8 just means that frames entering port 8 untagged would be tagged 10 inside the switch. Of course this case never happens, because your Sophos device plugged to port 8 only sends tagged data (VID 10) or voice (VID 50) frames.

... is it really usefull to deal with Vlans, or running everybody in Vlan 1 would make no difference ?

Vlans are useful if you want/must have several LANs inside which different types of traffic have to flow strictly seperated from each other due to several possible reasons, for example security or different QoS settings (as is the case with you where voice frames have to be preferred to data frames).

Without Vlans you would have to use one physical switch per seperate LAN to isolate traffic from each other. With Vlans (and that's the joke) you can use one physical switch and nonetheless seperate traffic from each other, because frames are tagged with different VIDs inside the switch and no frame travelling inside VLAN x can never get to VLAN y. With Vlans you can imagine your physical switch being partitioned into several logical switches, one logical switch per VLAN, where the logical ports of each logical switch are mapped to the physical ports of your physical switch, and where several logical ports of different logical switches may share the same physical port (externally distinguishable because in this case of "overloaded" ports frames must be sent tagged with the VID of the VLAN they belong to, with the exception of exactly one VLAN, that is allowed to send untagged frames).

If there are no reasons to separate data of different types (same security level, no different QoS demands, same characteristics for any other quality aspect), you don't have to use Vlans, or to be more accurate, you only use one Vlan (which is default VID 1 untagged on every port).

PT

[millbull]

Thank for your reply. It's the first time I'm using a D-link switch and have to configure Ip phone traffic thru a firewall. I've already configured Cisco Ip phones in a school test lab, and  with CDP and "switchport voice vlan " , it's easier.  And never heard about PVID before, but only native vlan.

When I asked for the usefullness of vlans, I was thinking about the need to use a dedicated voice vlan for just few Ip phones. I know Qos is important for voice traffic, especially when crossing multiple switches in a large network, but I wasn't sure it's still mandatory in a small network like mine.

In my configuration, the separate vlans seem to work. For now I can only test it internally, or from an inside phone to an outside one, and we have a 2 ways conversation. Also 2 ways when making a call between 2 phones in the same subnet.
When I make a call between 2 phones separated by the Firewall (but still under the router), I have a one way communication. It's ok from inside to outside, but not in the other way. So, I still have to dig a little more on the FW configuration. :-)

[millbull]

In "voice vlan port settings", the voice traffic seems to be detected, as the switch reports "current state: untagged " and "status: dynamic", but there's no information in "voice device list", even if I specify a port connected to a phone and make a "search". Are your phones detected in that device list ?

[oklarbi]

I have a network made up of a dlink DGS-1210-28P web smart switch, a mikrotik router, a Yeastar MyPBX U200 and two Snom 300 sip phones.

I have configured the dlink switch with three vlans:
vlan 10 (server vlan), vlan 20 as voice vlan and vlan 30 as computer vlan.

The port assignments are as follows
vlan   ports   Tagged/untagged
 10    1-8   untagged
 20             untagged
 30    9-22     untagged

port 23 is tagged for all vlans and connected to the mikrotik router with subinterfaces in the various vlansto provide intervlan routing. The mikrotik has dhcp pools for each vlan. vlan 10 (192.168.10.0 /24),vlan 20  (192.168.20.0/24) and vlan 30 (192.168.30.0/24)

port 22 is tagged for vlan 20 and connected to the IP PBX.

Port 9-22 is set to untagged and auto-detect for the voice vlan (vlan 20) with a priority of 5. The OUI of the Snom(00-04-13-00-00-00) is configured  under the voice vlan OUI settings.

Connection

Router----->(port 23)Switch(port 9-22)---------->(Net Port)Phone(PC Port)--------->Computer
                        |
                      (port 22)----->IP/PBX   


Problem

Phones automatically move to vlan 20 and receive dhcp ip address in the range 192.168.20.0 /24 with correct default gateway
Computers automatically move to vlan 30 and recieve dhcp ip addresses in the range 192.168.30.0 /24 with correct defaultgateway.
But computers can ping the default gateway on 192.168.20.0 as well as the IP/PBX but cannot ping or connect to the IP phones.

Any help will be greately appreciated.

[FurryNutz]

Any status on this?

 

I have a network made up of a dlink DGS-1210-28P web smart switch, a mikrotik router, a Yeastar MyPBX U200 and two Snom 300 sip phones.

I have configured the dlink switch with three vlans:
vlan 10 (server vlan), vlan 20 as voice vlan and vlan 30 as computer vlan.

The port assignments are as follows
vlan   ports   Tagged/untagged
 10    1-8   untagged
 20             untagged
 30    9-22     untagged

port 23 is tagged for all vlans and connected to the mikrotik router with subinterfaces in the various vlansto provide intervlan routing. The mikrotik has dhcp pools for each vlan. vlan 10 (192.168.10.0 /24),vlan 20  (192.168.20.0/24) and vlan 30 (192.168.30.0/24)

port 22 is tagged for vlan 20 and connected to the IP PBX.

Port 9-22 is set to untagged and auto-detect for the voice vlan (vlan 20) with a priority of 5. The OUI of the Snom(00-04-13-00-00-00) is configured  under the voice vlan OUI settings.

Connection

Router----->(port 23)Switch(port 9-22)---------->(Net Port)Phone(PC Port)--------->Computer
                        |
                      (port 22)----->IP/PBX   


Problem

Phones automatically move to vlan 20 and receive dhcp ip address in the range 192.168.20.0 /24 with correct default gateway
Computers automatically move to vlan 30 and recieve dhcp ip addresses in the range 192.168.30.0 /24 with correct defaultgateway.
But computers can ping the default gateway on 192.168.20.0 as well as the IP/PBX but cannot ping or connect to the IP phones.

Any help will be greately appreciated.

[oklarbi]

Yes, I will post the solution shortly

[oklarbi]

Since we were going piggy back the data connections to the phone. The switch needs a way of telling the difference between the traffic from both VLANs.

The solution is to set the ports to tagged for the voice vlan and untagged for the data vlan. The voice traffic will now be tagged and the data traffic will now be untagged [placed in the native VLAN (PVID) of the port]

This can be achieved under the Voice VLAN pane.

1. Go to Voice Vlan=> Voice VLAN Port Settings.
2. Set the ports to tagged for the voice VLAN.

Note:
Before going through the steps above;
-You should have enabled voice vlan and specified which vlan is ur voice vlan under  "VOICE VLAN GLOBAL Setting".
-Still under the Global Setting, enter the telephony OUI (which is the first six characters the mac addres) of the IP phones you want to use on your setup.
-You should have configured the voice vlan on the IP phone. This can be done either statically or by using DHCP options.

Let me know if you need help with anything relating to this.

[FurryNutz]

Glad you got it working.
Thank you for posting the process to make it work. Hope it helps future users.
Enjoy.