Solved: 1) When you connect the PC to

mark l · ‎02-16-2017

Sorry boys and girls, I am new to Cisco, can anyone please explain to me:

1. SW1 is configured with switchport access vlan 10, Switchport voice vlan 20 on port say.. fa0/2.

if I connect an IP phone to Fa0/2 and PC attach to the switch port on the IP phone, IP phone gets IP ok 192.168.20.2, PC gets IP ok 192.168.10.2. i understand this is the expected behavior. The part I am not so sure about is..if I connect a cisco switch (SW2) to the fa0/2 of SW1 (default config on SW2, nothing is configured), the PC which connects to the SW2 (say..fa0/3))can also can get an IP (192.168.10.x), why this PC can get IP address?

The SW2 has no vlan 10, 20. How this PC can communicate with SW1?

2. Many online tutorial tells that for the initial setup of a switch, assign an IP address to interface VLAN 1,

interface vlan 1

ip address 192.168.1.1 255.255.255.0

my understanding is this is the management IP? In my '1' scenario, my PC attach to say..fa0/2, I should be getting 192.168.10.2, how do I remotely mange the switch (192.168.1.1) from my PC? should I change the above command to something like the below? so my pc and the management IP is in the same IP range?

interface vlan 10

ip address 192.168.10.1 255.255.255.0

3. In my '1' scenario, I understand this is for a switch->IP phone->PC type of deployment, what happens if I connect the PC directly to the switch without an IP phone in the middle? Will this PC work as normal? ie. My PC gets vlan 10?

Francesco Molino · ‎02-16-2017

Hi

Let me try to answer your questions in an easy way.

When you're configuring your switch with access vlan 10 and voice vlan 20:

access vlan 10: All frames going on that part aren't tagged and it is exactly the same behavior having vlan 1 as default except that we're setting the port in a different subnet (segmentation).
Voice vlan 20: All devices announcing themselves as a voice device using CDP or LLDP protocol will be placed in that specific vlans.

That means, if you connect your laptop directly to your switch without any IP phones in between, it will get an IP address of vlan 10 because it's a data device and not a voice (not using CDP or LLDP).

If you connect a switch to that port, all machine connected to that 2nd switch (with default vlan 1 config) will go through this switch-to-switch link and get vlan 10 as their data vlan. If the port on your first switch was a trunk and no native vlan was set, then all pc behind your 2nd switch won't work unless you configure a local vlan database and set your port facing the 1st switch as trunk as well.

If on the 1st switch port f0/2, you set bpduguard capabilities, you'll see that connecting a switch to it will block that port and no one behind the 2nd switch will get an IP address.

To summarize:

Voice vlan: is the same behavior of a trunk except that it uses CDP/LLDP to detect the voice device and tag the vlan id on that device
Data vlan: if in access mode, no tagging dot1q on the frame but segmentation to place PC in the right vlan. If switches are connected behind that port, no need to configure any vlan database or trunk.. If it's in trunk mode, then you'll need to configure a vlan database and trunk interfaces.

Hope that's clear :-)

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Richard Burts · ‎02-16-2017

1) When you connect the PC to SW2 (which has no vlan configuration) and connect SW2 to an access port on SW1 in vlan 10, then when the PC sends a DHCP request it is a broadcast and is forwarded to all ports in the vlan (including the port that connects to SW1). And so the request passes through SW2 and arrives at SW1 in vlan 10. The DHCP request gets to the DHCP server and receives an IP address in vlan 10. SW2 does not have vlan 10 and that does not matter. The PC sent the initial Ethernet frame as a broadcast with no tagging, SW2 forwarded the frame with no tagging, and it was received on SW1 in a port associated with vlan 10. So as far as SW1 knows this is traffic in vlan 10.

2) If you have configured the switch with a management address of 192.168.1.1 and the PC has an IP address of 192.168.10.2 then the PC will not be able to communicate directly with the management interface of the switch. When you have configured multiple vlans in the network you should also have configured some device to perform inter vlan routing. So what needs to happen is that the PC wants to communicate with the management IP of the switch and will send the IP packet to the default gateway of the PC. That gateway device can then forward the packet to the switch in its management vlan.

3) If you connect a PC directly to an access port of SW1 (no phone connected, just the PC) it should work just fine for the PC.

HTH

Rick

HTH

Rick

View solution in original post

Francesco Molino · ‎02-16-2017

Hi

Let me try to answer your questions in an easy way.

When you're configuring your switch with access vlan 10 and voice vlan 20:

access vlan 10: All frames going on that part aren't tagged and it is exactly the same behavior having vlan 1 as default except that we're setting the port in a different subnet (segmentation).
Voice vlan 20: All devices announcing themselves as a voice device using CDP or LLDP protocol will be placed in that specific vlans.

That means, if you connect your laptop directly to your switch without any IP phones in between, it will get an IP address of vlan 10 because it's a data device and not a voice (not using CDP or LLDP).

If you connect a switch to that port, all machine connected to that 2nd switch (with default vlan 1 config) will go through this switch-to-switch link and get vlan 10 as their data vlan. If the port on your first switch was a trunk and no native vlan was set, then all pc behind your 2nd switch won't work unless you configure a local vlan database and set your port facing the 1st switch as trunk as well.

If on the 1st switch port f0/2, you set bpduguard capabilities, you'll see that connecting a switch to it will block that port and no one behind the 2nd switch will get an IP address.

To summarize:

Voice vlan: is the same behavior of a trunk except that it uses CDP/LLDP to detect the voice device and tag the vlan id on that device
Data vlan: if in access mode, no tagging dot1q on the frame but segmentation to place PC in the right vlan. If switches are connected behind that port, no need to configure any vlan database or trunk.. If it's in trunk mode, then you'll need to configure a vlan database and trunk interfaces.

Hope that's clear :-)

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mark l · ‎02-16-2017

Thank you Francesco,

"If you connect a switch to that port, all machine connected to that 2nd switch (with default vlan 1 config) will go through this switch-to-switch link and get vlan 10 as their data vlan."

I have tried to connect an IP phone to SW2, It received an IP address (192.168.10.x) which is on the data vlan range, the PC attached the phone received the valid IP (192.168.10.x).

What is the story behind this? why not CDP or LLDP travel all the way to sw1? so IP phone can get the correct IP (192.168.20.x)

What is the role of native VLAN 1 here? Can I consider VLAN1 and Vlan 10 the same because they are both untagged? Is there a reason that all tutorials point to create vlan 10 for data, vlan 20 for voice, Can we simply use Native Vlan1 for data? therefore only two vlans 1 and 20, less confusing..

Francesco Molino · ‎02-16-2017

Hi

An IP phone on your seconds switch won't have an IP on voice vlan because it's not configured. Even if there is still cdp, you haven't configured the vice tagged vlan by using the command switchporr voice vlan.

This is the expected behavior.

To have the voice vlan you need to configure interfaces facing each other between sw1 and sw2 as trunk, create the vlan database on sw2 and configure the port on sw2 like you've done on sw1.

Vlan 1 is the control traffic vlan. All bpdus and other network protocol like stp, vtp pass through it. it is also called native vlan on trunk port for example if unchanged.

Here some documentation:

http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=11

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎02-16-2017

1) When you connect the PC to SW2 (which has no vlan configuration) and connect SW2 to an access port on SW1 in vlan 10, then when the PC sends a DHCP request it is a broadcast and is forwarded to all ports in the vlan (including the port that connects to SW1). And so the request passes through SW2 and arrives at SW1 in vlan 10. The DHCP request gets to the DHCP server and receives an IP address in vlan 10. SW2 does not have vlan 10 and that does not matter. The PC sent the initial Ethernet frame as a broadcast with no tagging, SW2 forwarded the frame with no tagging, and it was received on SW1 in a port associated with vlan 10. So as far as SW1 knows this is traffic in vlan 10.

2) If you have configured the switch with a management address of 192.168.1.1 and the PC has an IP address of 192.168.10.2 then the PC will not be able to communicate directly with the management interface of the switch. When you have configured multiple vlans in the network you should also have configured some device to perform inter vlan routing. So what needs to happen is that the PC wants to communicate with the management IP of the switch and will send the IP packet to the default gateway of the PC. That gateway device can then forward the packet to the switch in its management vlan.

3) If you connect a PC directly to an access port of SW1 (no phone connected, just the PC) it should work just fine for the PC.

HTH

Rick

HTH

Rick

mark l · ‎02-16-2017

Thank you Richard,

2) If you have configured the switch with a management address of 192.168.1.1 and the PC has an IP address of 192.168.10.2 then the PC will not be able to communicate directly with the management interface of the switch. When you have configured multiple vlans in the network you should also have configured some device to perform inter vlan routing. So what needs to happen is that the PC wants to communicate with the management IP of the switch and will send the IP packet to the default gateway of the PC. That gateway device can then forward the packet to the switch in its management vlan.

Can I set management interface on each vlan?(data vlan 10 in this case), so I can assign an IP which is in our server's IP range?

eg. - will this command work? so 192.168.10.166 becomes switch's IP

interface vlan 10

ip address 192.168.10.166 255.255.255.0

Francesco Molino · ‎02-16-2017

Hi

On most of switches used today, if it had the right sdm template (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swsdm.html#74166) and the command ip routing will be able to handle routing.

When you create multiple SVI (layer 3 vlan interfaces), unless you have configured acl, all subnet hosts can talk to each other.

Each vlan represents a subnet of machines. Usually you have 1 vlan dedicated for servers, 1 for voice, 1 for data,... And 1 for management purpose. This management vlan is used to access the switch through ssh, send requests to a radius server for authentication,... and so on. If you don't configure any acl, you can also ssh to the switch through any of others svi.

On recent switches, you have specific interfaces for management purpose called management out of band.

To answer your question, switches can handle inter vlan routing or you can use a router and do a router on a stick. For your second question, you usually have only 1 management vlan.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎02-17-2017

To be able to answer this question we need to clarify some things. First we need to understand whether the switch you are asking about will operate as a layer 3 switch or as a layer 2 switch. Some switches are restricted to operate only as layer 2 and many switches can operate as either layer 2 or layer 3 switches. A layer 2 switch can do only layer 2 forwarding using MAC address while a layer 3 switch can do both layer 2 forwarding using MAC address and also layer 3 forwarding using IP address. A layer 2 switch should have only one vlan interface configured with an IP address while a layer 3 switch can have multiple vlan interfaces which are configured with IP addresses.

The approach to configuring management address in your 2) question implies that this would be a layer 2 switch but is not clear. So can you clarify whether the switch you are asking about will operate as layer 2 or as layer 3?

On a layer 2 switch you could choose any vlan to be the one with an IP address. So it certainly could be vlan 10 if that makes the most sense to you. But if it were a layer 2 switch you would not have more than 1 interface with an IP address assigned (it would not be each vlan).

HTH

Rick

HTH

Rick

Native Vlan1, data vlan, voice Vlan