Cisco 9330 gateway for ip phone vlan

mostafa-parsaee · ‎10-24-2024

Hello All

I have a cisco 3850 switch used for Distribute Layer.

All Vlan and interface vlan are defined in this switch. Involved:

vlan 80 name PC-vlan

vlan 81 name IP-Phone vlan

interface vlan 80

ip addr x.x.x.x x.x.x.x

ip helper address x.x.x.x

In layer 2: we use Access switch 9200L or 2960x.and users connected to this switch ports. And PCs and ip-phones go to dhcp server and get ip from dhcp and work normally.

NOW: I config new cisco switch: 9300x-24Y for my distribution layer exactly same as 3850 configuration.(All vlans and interface vlans and other configs are same).

when replace the new switch in DSW layer, All PCs are ok, BUT ip-phones can not get IP from DHCP server.

I rollback to old DSW switch and IP-phones got IP and work normally, but with new 9300 DSW switch not work.

some other info may be helpful:

int gi0/1( trunk port):

switchport trunk native vlan 999
switchport trunk allowed vlan 80-81
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
ip dhcp snooping trust

vtp version: 3

no vtp password

DSW switch: vtp primary

access switch: vtp transparent

ASW switch: ip arp inspection, ip dhcp snopping, port security

Ip phones : Mitel 5212

Please Help me. Is there any config needed to Switch 9300 or Access switches for resolve this problem?

mostafa-parsaee · ‎10-24-2024

excuse for miss spelling:

Cisco 9300 gateway for ip phone vlan

Flavio Miranda · ‎10-24-2024

@mostafa-parsaee

It should work. If you mirrored the configuration really dont see why not.

The only way to figure this out is take the config from both switch and use a program like CompareIt in order to make sure you did not miss anything.

Rather than that would be install the 9300 and troubleshoot.

marce1000 · ‎10-24-2024

- For the time being could you try with not using these configuration commands on int gi0/1 :
>...
ip arp inspection trust
ip dhcp snooping trust

And check if that can help (?)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mostafa-parsaee · ‎10-24-2024

Thanks for Reply,

I tested but not work.

David Ruess · ‎10-24-2024

Hello,

Is your DHCP server on a separate network? If so, how do your phones know where to get an IP address and subsequently their TFTP settings for call manager? You will need a helper address on their Default Gateway VLAN interface for your phones to reach the resources they need.

Are you able to provide the full config of the 9300 and the 3850?

-David

mostafa-parsaee · ‎10-24-2024

The DHCP server is My PDC-ADC and is in local Network.

Interface vlan is defined on DSW switch Like this:

interface vlan 81

description default-gateway for IP-Phones

ip addr x.x.x.x x.x.x.x

ip helper-address 172.10.0.1

ip helper-address 172.10.0.2

These 2 Servers Are DHCp servers which Have scopes for ip phones.

mostafa-parsaee · ‎10-24-2024

3850 Config:

version 16.12
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service compress-config
service sequence-numbers
service call-home
platform punt-keepalive disable-kernel-core
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 8192 informational
logging console critical
logging monitor informational

!
aaa session-id common
switch 1 provision ws-c3850-12s
!
no ip source-route
ip routing
!
!
ip name-server 172.10.0.1 172.10.0.2
no ip domain lookup
ip domain name xxxx
!
!
!
login block-for 30 attempts 3 within 10
login delay 3
login on-failure log every 3
login on-success log
!
!
udld aggressive
no device-tracking logging theft
!
license boot level ipservicesk9
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
memory reserve critical 1000
memory free low-watermark processor 79502
!
errdisable recovery cause all

redundancy
mode sso
!
!
transceiver type all
monitoring
hw-switch switch 1 logging onboard message
no cdp run
!
!
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-multicast
description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
!
policy-map system-cpp-policy

interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/1/3
description Link to CSW-A01
no switchport
ip address xxxx xxxx
ip ospf priority 0
!
interface GigabitEthernet1/1/4
description Link to CSW-A02
no switchport
ip address xxxx xxxx
ip ospf priority 0
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 999
switchport trunk allowed vlan 80-83
switchport mode trunk
switchport nonegotiate
logging event trunk-status
!
interface Vlan1
no ip address
shutdown
!
interface Vlan80
description Computer Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!
interface Vlan81
description IPPhone Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!
interface Vlan82
description CCTV Default-Gateway
no ip address
shutdown
!
interface Vlan83
description Printer Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip ssh time-out 60
ip ssh version 2
ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr 3des-cbc
!
!
logging trap critical
!
!

control-plane
service-policy input system-cpp-policy

ntp server xxxx

end

9300 config:

version 17.9
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service compress-config
service sequence-numbers
platform punt-keepalive disable-kernel-core
!
hostname my-switch
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 8192 informational
logging console critical
logging monitor informational
!
aaa session-id common
switch 1 provision c9300x-24y
!
!
ip routing
!
!
ip name-server 172.10.0.1 172.10.0.2
no ip domain lookup
ip domain name xxxx
!
!
login block-for 30 attempts 3 within 10
login delay 3
login quiet-mode access-class MANAGEMENT
login on-failure log every 3
login on-success log
udld aggressive
vtp version 3
!
!

license boot level network-advantage addon dna-advantage
license smart transport callhome
memory reserve critical 1000
memory free low-watermark processor 131040
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
!
!
errdisable recovery cause all

redundancy
mode sso
crypto engine compliance shield disable
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip dhcp client client-id ascii FVH2823L0PT
ip address dhcp
negotiation auto
!
interface TwentyFiveGigE1/0/1
description Link to CSW-A01
no switchport
ip address xxxx
ip ospf priority 0
logging event trunk-status
!
interface TwentyFiveGigE1/0/2
description Link to CSW-A02
no switchport
ip address xxxx
ip ospf priority 0
logging event trunk-status
!
interface TwentyFiveGigE1/0/10
switchport trunk native vlan 999
switchport trunk allowed vlan 80-83
switchport mode trunk
switchport nonegotiate
logging event trunk-status

interface Vlan1
no ip address
no ip route-cache
shutdown

interface Vlan80
description Computer Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!
interface Vlan81
description IPPhone Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!
interface Vlan82
description CCTV Default-Gateway
no ip address
shutdown
!
interface Vlan83
description Printer Default-Gateway
ip address xxxx xxxx
ip helper-address 172.10.0.1
ip helper-address 172.10.0.2
!

ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip ssh time-out 60
ip ssh version 2
!
logging trap critical
logging host xxxx
!
control-plane
service-policy input system-cpp-policy
!
!
exception crashinfo maximum files 20
end

balaji.bandi · ‎10-24-2024

Do you have VLAN created both the sides (i do not see in the config) by adding interface does not mean vlan created - can you post show span vlan 80 / 81 /999 (from both Access and DSW side)

Testing :

1. both the side change native VLAN from 999 to 80 and test it

2. can you connect same Phone to cat 9300 - is that works ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mostafa-parsaee · ‎10-24-2024

Thanks for Reply.

Yes, vlan 80-81 are created in DSW switch. And ASW switch Get them as a vtp client.

1-I tested it but not work.

2-I don't want to connect IP-Phone to 9300 switch. This switch is distribute switch. The phone connected to ASW.

but however, can not connect any same Phone(Mitel 5212) to ASW.Just New model Mitel 5312 Tested Ok.

vtp version 3 has no password.Maybe related to Issue?

both of Links are not same.DSW side is 10/25G and ASW is 1G.Maybe related to Issue?

balaji.bandi · ‎10-24-2024

We have seen some issue like this with old Phones, if the new phone working, check the Options in the DHCP. that where all pointing to the issue, there is nothing to do with VTP here, as long as other phone working.

make sure DHCP Options for old and new phone are added

run the debug and also provide one of the ASW configuration what model of the switch ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mostafa-parsaee · ‎10-24-2024

Thanks For Reply.

The DHCP option for IP-Phones:

125 Mitel: id:ipphone.mitel.com; sw_tftp=x.x.x.x ; call_srv=x.x.x.x dscp=56

And it is working for Mitel 5212 when 3850 switch is the DSW switch. BUT not work when 9300 switch is the DSW. And Mitel5312 works when New 9300 switch is DSW switch.

Which option should config for this Issue?

Here Is Config for ASW-switch:

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime year
service password-encryption
service sequence-numbers
no service dhcp
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 informational
logging console critical
logging monitor informational
!
!
aaa new-model
!
!
aaa session-id common
clock timezone IRAN 3 30
system mtu routing 1500
vtp domain xxxx
vtp mode transparent
udld aggressive
no ip source-route
no ip domain-lookup
ip domain-name xxxx
ip name-server 172.10.0.1
ip name-server 172.10.0.2
!
!
ip dhcp snooping vlan 80-83
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 80-83
login block-for 30 attempts 3 within 10
login on-failure log every 3
login on-success log
!
errdisable recovery cause all
memory reserve critical 1000
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
vlan 80
name computers
!
vlan 81
name IP-Phones
!
vlan 82
name CCTV
!
vlan 83
name Printers
!
vlan 400
name RSPAN
remote-span
!
vlan 900
name UseLess
!
vlan 999
name AntiVLANhopping
!
ip ssh time-out 60
ip ssh version 2
ip scp server enable
!
interface GigabitEthernet0/1
switchport access vlan 80
switchport mode access
switchport voice vlan 81
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security max 2
switchport port-security aging time 1440
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security mac-address sticky
ip arp inspection limit rate 100
storm-control broadcast level bps 2m 1.5m
storm-control action trap
no lldp transmit
no lldp receive
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
ip verify source port-security
ip dhcp snooping limit rate 100
!
interface GigabitEthernet0/49
switchport trunk native vlan 999
switchport trunk allowed vlan 80-81
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
no ip classless
no ip http server
no ip http secure-server
!
no vstack
!
exception memory ignore overflow processor
exception memory ignore overflow io
ntp clock-period 36028922
ntp source Vlan7
ntp server xxxx
mac address-table notification change
mac address-table notification mac-move
mac address-table notification threshold
end

amikat · ‎10-25-2024

Hi,

Your DSW - ASW trunk appears rather inconsistent as for the native vlan (tagging). I can see "vlan dot1q tag native" at ASW but cannot see the command at the opposite side (DSW). Can you please set both sides identically and check if there is any progress.

Best regards,

Antonin

balaji.bandi · ‎10-31-2024

Since you have other phone working that means snooping ok i belive.

can you default one of the interface and make just simple configuration and test it :

interface x/x
switchport access vlan xx
switchport mode access
switchport voice vlan yy
switchport port-security maximum 4
switchport port-security violation restrict
switchport port-security aging time 5
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

David Ruess · ‎10-24-2024

Thank you for the extra info. I don't see anything wrong with the config initially. Can you supply a drawing/map of how all the switches/phones are connected?

Also can you put a local DHCP configuration on the router (same as the other DHCP pool) for the phones to test if that works?