Re: Vlan Access from port [Ip Phone] -Forced-

benahmeddaho_MOURAD · ‎01-24-2021

Hi Everyone,
Let say, we have an #Access_switch and an #Ip_Phone connected to that switch in port g1/0/1. This last is configured as access to vlan 10 and voice to vlan 20.
Q: how to force a user to access vlan 10 -#Forced using the #ip_Phone_pc_port- => not unplug the cable from the ip phone and plug it in his PC or laptop!

NB: without using (eem,tcl,....) only the switchport_commands

Best Regards!

paul driver · ‎01-24-2021

Hello

Configure the switchport to instruct the ip phone to trust all data traffic or even mark it down to a cos 0 originating from it own access-port

int x/x/
description voip_port
switchport priority extend cos 0 (default)
or
switchport priority extend trust

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎01-24-2021

as per my understanding of the question was - you have original configure of the port was to cater to VOICE and DATA VLAN,

before it was connected to Phone-PC, now you like to connect to only Pc without a Phone? is this correct. ?

I do not believe you need to change anything on the switch port config technically, the PC should work as expected.(without connected to the phone)

if that is not the case please post-show run interface gi 1/0/1 to understand better.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benahmeddaho_MOURAD · ‎01-24-2021

hi,
1) i have configured 2 vlans : Access and voice
2) i do not want that a user unplug the cable from the ip_Phone ==> [ip phone off], and use it for his laptop!
and if he do, he can #NOT be connected
3) a user must {if wanna connect to lan using that switchport } be connected after the ip phone on the PC port(of the ip phone)
im I cear!

paul driver · ‎01-24-2021

Hello
Well @balaji.bandi is correct, traffic originating from the pc should work, However if you wanted to qos remark that data traffic from the pc or trust it you could apply one of the two commands i stated previously.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎01-24-2021

Sure thank you for the clarification, i agree with @paul driver suggested commands,

Since we do not know the device model and IOS running, i can refer good document which can help you to understand better.

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/113260-voice-vlan-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tyson Joachims · ‎01-24-2021

@benahmeddaho_MOURADIf I understand your last comment, you want to make it so the computer only gets a connection if it is plugged into the phone. If the user unplugs the phone from the wall jack and plugs in their computer, you do not want them to get a connection.

I'm not sure you can easily do that; however, my first question is why you might want to do that. Assuming your data VLAN is 10 and your voice VLAN is 20, if you configure your switch interface with the following commands:

interface GigabitEthernet1/0/1
 switchport access vlan 10
 switchport voice vlan 20
 switchport mode access

then the computer will get VLAN 10 regardless of if it is plugged into the phone or directly into the wall jack. The phone figures out that it needs to use VLAN 20 for voice because of CDP so you should have no worries in a user unplugging the phone and plugging their laptop into the wall jack because they will always get the same network.

benahmeddaho_MOURAD · ‎01-25-2021

Hi,
i feel like, you understand well my query.
[my first question is why you might want to do that] :
1) the laptops can get connection from WiFi
2) there are many ports destinated for lan connection
3) and why turning off an Ip_Phone== calls local & external == Business (by unpluging the ip_phone and plug it to laptop ), we can say it is a DoS for ip_phone
Best Regards!

balaji.bandi · ‎01-25-2021

2) i do not want that a user unplug the cable from the ip_Phone ==> [ip phone off], and use it for his laptop!
and if he do, he can #NOT be connected

But this what you looking to do so as per the post ? we suggested to secure the port config - have you tried it ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

benahmeddaho_MOURAD · ‎01-25-2021

Hi,
Yes, i did. And the laptop can connect easely after the cable unplug from the ip phone then plug it to the Laptop!

i use this command [#switchport priority extend trust]

balaji.bandi · ‎01-25-2021

Can you post one of interface config, how you configured - (i will be more intrested to look to - show run full config)

that give us certain degree of view what is the issue.

show run

show version

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tyson Joachims · ‎01-25-2021

If the laptops are getting a connection via the Wi-Fi, you could look at implementing port security on each switch interface (not on the interfaces connected to other switches or APs). If a user unplugs the phone and tries to plug in their laptop, the switch interface can either shutdown completely or just drop the laptop's traffic (depending on your configuration).

The following code sample will learn the MAC address of the phone. If any other MAC address is "heard" on the switch interface (such as a laptop that has been plugged in after removing the phone), that traffic is discarded and a log entry is added to the switch's log:

interface GigabitEthernet0/1
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
 switchport port-security
 switchport port-security maximum 1
 switchport port-security mac-address sticky 
 switchport port-security violation restrict

Unfortunately, this solution means that the users would not be able to plug their laptops into the port on the phone either and would have to remain on Wi-Fi in order to get their network connection. If you are specifically looking for a solution where the switch port will not forward traffic if it does not detect the phone being connected, I do not know how that might be accomplished.

paul driver · ‎01-25-2021

Hello
you seem to going off track with your query?

What exactly are you trying to accomplish?

if its that you wish the wifi to be disabled upon a wired connection then this ISNT a switch setting its a wifi network card setting

in the advanced properties of the wifi nic driver you can set it to “disable upon wired connection”

Is it this you require?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul