VLAN tagging Digium

479130 · ‎05-29-2018

Good evening all,

I have an issue with properly configuring VLAN tagging so being able to connect a computer to DATA VLAN from an non-cisco IP phone.

Goal is to have an IP phone connected to VOICE vlan and get DATA vlan to a host from it.

In this example I use Digium D40 IP phone, connected to interface GigabitEthernet1/0/19 on SWITCH1

And same Digium D40 IP phone connected to interface GigabitEthernet2/0/7 on SWITCH2

SWITCH 1 and SWITCH2 are stacks in different sites connected between and passing VLANs

Both sites have own:

DHCP and FW for SWITCH 1 is 172.16.1.1, 172.28.1.1, etc..

DHCP and FW for SWITCH 2 is 172.16.2.1, 172.28.2.1, etc..

Digium server is at SWITCH1 172.20.1.18

I made sure to have running LDP enabled globally with

Switch(config)# lldp run

To my understading when the IP Phone boots up, it associates itself to the data vlan, just like any host and

gets an IP in the vlan. Then it will communicate with the TFTP server (digium server)

to get the configuration file at which point it will realize that it should

be on the Voice VLAN and then change its vlan from the native vlan to voice

vlan (start tagging the packets).

I got it half working:

I am successfully able to get a DHCP IP in DATA vlan in range 172.16.1.x with an IP phone on SWITCH1

While with an IP phone on SWITCH2, host gets an auto config address 169.x.x.x

I would expect it to get DHCP in DATA vlan in range 172.16.2.1

Both phones reach digium server and work perfecly for calls

What am I missing?

My guess would be ip helper on SWITCH2 but it looks setup correctly to me

Could you point me in right direction?

Below running config from both switches, I have removed unnecessary bits.

Spoiler

SWITCH1

SWITCH1#show run

Building configuration...

Current configuration : 26138 bytes

!

! Last configuration change at 05:21:38 UTC Fri May 25 2018 by ###

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime

service password-encryption

service compress-config

!

hostname SWITCH1

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 5 ###

enable password 7 ###

!

username admin password 7 ###

no aaa new-model

switch 1 provision ws-c3850-24p

switch 2 provision ws-c3850-24p

!

no ip domain-lookup

ip domain-name ###

ip dhcp binding cleanup interval 10

ip dhcp excluded-address 172.16.3.1 172.16.3.12

ip dhcp excluded-address 172.28.3.1 172.28.3.12

ip dhcp excluded-address 172.20.3.1 172.20.3.12

ip dhcp excluded-address 172.30.3.1 172.30.3.12

!

qos queue-softmax-multiplier 100

!

errdisable recovery cause bpduguard

errdisable recovery interval 120

diagnostic bootup level minimal

archive

path flash:/$SW

write-memory

spanning-tree mode pvst

spanning-tree extend system-id

hw-switch switch 1 logging onboard message level 3

hw-switch switch 2 logging onboard message level 3

!

redundancy

mode sso

!

lldp run

!

class-map match-any non-client-nrt-class

!

policy-map port_child_policy

class non-client-nrt-class

bandwidth remaining ratio 10

!

interface Port-channel1

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

no ip address

negotiation auto

!

interface GigabitEthernet1/0/1

description ===> Digium Eth1 <===

switchport access vlan 20

switchport mode access

switchport port-security maximum 10

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

storm-control broadcast level 2.50 1.00

spanning-tree portfast

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/19

switchport access vlan 16

switchport trunk allowed vlan 16,20

switchport mode trunk

switchport voice vlan 20

switchport port-security maximum 10

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

storm-control broadcast level 2.50 1.00

spanning-tree portfast

spanning-tree bpduguard enable

!

interface TenGigabitEthernet1/1/1

switchport trunk allowed vlan 1,20,28,40,316,320,328,330,402

switchport mode trunk

!

interface TenGigabitEthernet1/1/4

description Fibre1 S-Surf

switchport trunk allowed vlan 16,20,28,30,40,316,320,328,330

switchport mode trunk

channel-group 1 mode auto

!

interface TenGigabitEthernet2/1/4

description Fibre2 S-Surf

switchport trunk allowed vlan 16,20,28,30,40,316,320,328,330,402

switchport mode trunk

channel-group 1 mode auto

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description Sapphire Internet

no ip address

!

interface Vlan16

description S-Data

no ip address

!

interface Vlan20

description S-Voice

no ip address

!

interface Vlan28

description S-Mgmt

ip address 172.28.1.11 255.255.255.0

!

interface Vlan30

description S-Guest

no ip address

!

interface Vlan40

description S-CCTV

no ip address

!

interface Vlan228

ip address 172.28.2.4 255.255.255.0

!

interface Vlan311

description Internal-DMZ

no ip address

shutdown

!

interface Vlan316

description S Data

ip address 172.16.3.1 255.255.255.0

!

interface Vlan320

description Surf Voice

ip address 172.20.3.1 255.255.255.0

!

interface Vlan328

description Surf SrvMgt

ip address 172.28.3.1 255.255.255.0

!

interface Vlan330

description Surf Guest

ip address 172.30.3.1 255.255.255.0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 172.28.1.1

!

kron occurrence weekly at 21:00 Fri recurring

policy-list backup

!

kron policy-list backup

cli copy running-config scp://###

!

wsma agent exec

profile httplistener

profile httpslistener

!

wsma agent config

profile httplistener

profile httpslistener

!

wsma agent filesys

profile httplistener

profile httpslistener

!

wsma agent notify

profile httplistener

profile httpslistener

!

wsma profile listener httplistener

transport http

!

wsma profile listener httpslistener

transport https

!

ap group default-group

end

SWITCH2#show run

Building configuration...

Current configuration : 30274 bytes

!

! Last configuration change at 10:14:24 UTC Fri May 25 2018 by ###

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime

service timestamps log datetime

service password-encryption

service compress-config

!

hostname SWITCH2

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

logging console emergencies

enable secret 5 ###

enable password 7 ###

!

username admin privilege 10 password 7 ###

aaa new-model

!

aaa authentication login default local enable

!

aaa session-id common

switch 1 provision ws-c3850-24p

switch 2 provision ws-c3850-24p

switch 3 provision ws-c3850-24p

!

ip domain-name ###

!

qos wireless-default-untrust

qos queue-softmax-multiplier 100

!

write-memory

spanning-tree mode pvst

spanning-tree extend system-id

hw-switch switch 1 logging onboard message level 3

hw-switch switch 2 logging onboard message level 3

hw-switch switch 3 logging onboard message level 3

!

redundancy

mode sso

!

lldp run

!

class-map match-any non-client-nrt-class

!

policy-map port_child_policy

class non-client-nrt-class

bandwidth remaining ratio 10

!

interface Port-channel1

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

no ip address

negotiation auto

!

interface GigabitEthernet2/0/7

description ===> office 2 <===

switchport access vlan 162

switchport trunk native vlan 162

switchport trunk allowed vlan 20,162

switchport mode trunk

switchport voice vlan 20

switchport port-security maximum 10

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

storm-control broadcast level 2.50 1.00

spanning-tree portfast

spanning-tree bpduguard enable

!

interface GigabitEthernet3/0/2

description ===> leased line Eth1 <===

switchport trunk allowed vlan 16,20,28,40,162,282,302,311,402

switchport mode trunk

storm-control broadcast level 2.50 1.00

spanning-tree portfast

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description Sapphire Internet

no ip address

!

interface Vlan16

description S-Data

no ip address

!

interface Vlan20

description S-Voice

no ip address

!

interface Vlan28

description S-Mgmt

no ip address

!

interface Vlan30

description S-Guest

no ip address

!

interface Vlan40

description S-CCTV

no ip address

!

interface Vlan202

description L-Voice

no ip address

!

interface Vlan282

description L-Mgmt

ip address 172.28.2.10 255.255.255.0

ip helper-address 172.28.2.9

!

interface Vlan302

description L-Guest

no ip address

ip helper-address 172.30.2.9

!

interface Vlan311

description Intenal-DMZ

no ip address

!

interface Vlan332

no ip address

ip helper-address 192.168.10.251

!

interface Vlan402

description L-CCTV

no ip address

!

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 172.28.2.1

ip ssh rsa keypair-name ssh

ip ssh version 2

!

access-list 28 permit 172.28.2.0 0.0.0.255

!

banner motd ^C

###

^C

!

line con 0

exec-timeout 0 0

privilege level 15

password 7 ###

stopbits 1

line aux 0

no exec

transport output none

stopbits 1

line vty 0 4

privilege level 0

password 7 ###

transport preferred ssh

transport input ssh

transport output ssh

line vty 5 15

!

wsma agent exec

profile httplistener

profile httpslistener

!

wsma agent config

profile httplistener

profile httpslistener

!

wsma agent filesys

profile httplistener

profile httpslistener

!

wsma agent notify

profile httplistener

profile httpslistener

!

wsma profile listener httplistener

transport http

!

wsma profile listener httpslistener

transport https

!

ap group default-group

end

SWITCH1 SWITCH1#show run Building configuration... Current configuration : 26138 bytes ! ! Last configuration change at 05:21:38 UTC Fri May 25 2018 by ### ! version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime service timestamps log datetime service password-encryption service compress-config ! hostname SWITCH1 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! enable secret 5 ### enable password 7 ### ! username admin password 7 ### no aaa new-model switch 1 provision ws-c3850-24p switch 2 provision ws-c3850-24p ! ! no ip domain-lookup ip domain-name ### ip dhcp binding cleanup interval 10 ip dhcp excluded-address 172.16.3.1 172.16.3.12 ip dhcp excluded-address 172.28.3.1 172.28.3.12 ip dhcp excluded-address 172.20.3.1 172.20.3.12 ip dhcp excluded-address 172.30.3.1 172.30.3.12 ! ! ! qos queue-softmax-multiplier 100 ! errdisable recovery cause bpduguard errdisable recovery interval 120 diagnostic bootup level minimal archive path flash:/$SW write-memory spanning-tree mode pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 hw-switch switch 2 logging onboard message level 3 ! redundancy mode sso ! lldp run ! ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! interface Port-channel1 ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface GigabitEthernet1/0/1 description ===> Digium Eth1 <=== switchport access vlan 20 switchport mode access switchport port-security maximum 10 switchport port-security violation restrict switchport port-security aging time 10 switchport port-security aging type inactivity switchport port-security storm-control broadcast level 2.50 1.00 spanning-tree portfast spanning-tree bpduguard enable ! ! interface GigabitEthernet1/0/19 switchport access vlan 16 switchport trunk allowed vlan 16,20 switchport mode trunk switchport voice vlan 20 switchport port-security maximum 10 switchport port-security violation restrict switchport port-security aging time 10 switchport port-security aging type inactivity switchport port-security storm-control broadcast level 2.50 1.00 spanning-tree portfast spanning-tree bpduguard enable ! ! interface TenGigabitEthernet1/1/1 switchport trunk allowed vlan 1,20,28,40,316,320,328,330,402 switchport mode trunk ! interface TenGigabitEthernet1/1/4 description Fibre1 S-Surf switchport trunk allowed vlan 16,20,28,30,40,316,320,328,330 switchport mode trunk channel-group 1 mode auto ! interface TenGigabitEthernet2/1/4 description Fibre2 S-Surf switchport trunk allowed vlan 16,20,28,30,40,316,320,328,330,402 switchport mode trunk channel-group 1 mode auto ! interface Vlan1 no ip address shutdown ! interface Vlan2 description Sapphire Internet no ip address ! interface Vlan16 description S-Data no ip address ! interface Vlan20 description S-Voice no ip address ! interface Vlan28 description S-Mgmt ip address 172.28.1.11 255.255.255.0 ! interface Vlan30 description S-Guest no ip address ! interface Vlan40 description S-CCTV no ip address ! interface Vlan228 ip address 172.28.2.4 255.255.255.0 ! interface Vlan311 description Internal-DMZ no ip address shutdown ! interface Vlan316 description S Data ip address 172.16.3.1 255.255.255.0 ! interface Vlan320 description Surf Voice ip address 172.20.3.1 255.255.255.0 ! interface Vlan328 description Surf SrvMgt ip address 172.28.3.1 255.255.255.0 ! interface Vlan330 description Surf Guest ip address 172.30.3.1 255.255.255.0 ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 172.28.1.1 ! ! kron occurrence weekly at 21:00 Fri recurring policy-list backup ! kron policy-list backup cli copy running-config scp://### ! ! ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end SWITCH2#show run Building configuration... Current configuration : 30274 bytes ! ! Last configuration change at 10:14:24 UTC Fri May 25 2018 by ### ! version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime service timestamps log datetime service password-encryption service compress-config ! hostname SWITCH2 ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging console emergencies enable secret 5 ### enable password 7 ### ! username admin privilege 10 password 7 ### aaa new-model ! ! aaa authentication login default local enable ! ! aaa session-id common switch 1 provision ws-c3850-24p switch 2 provision ws-c3850-24p switch 3 provision ws-c3850-24p ! ! ! ! ! ! ip domain-name ### ! ! qos wireless-default-untrust qos queue-softmax-multiplier 100 ! ! write-memory spanning-tree mode pvst spanning-tree extend system-id hw-switch switch 1 logging onboard message level 3 hw-switch switch 2 logging onboard message level 3 hw-switch switch 3 logging onboard message level 3 ! redundancy mode sso ! lldp run ! ! class-map match-any non-client-nrt-class ! policy-map port_child_policy class non-client-nrt-class bandwidth remaining ratio 10 ! ! interface Port-channel1 ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! ! interface GigabitEthernet2/0/7 description ===> office 2 <=== switchport access vlan 162 switchport trunk native vlan 162 switchport trunk allowed vlan 20,162 switchport mode trunk switchport voice vlan 20 switchport port-security maximum 10 switchport port-security violation restrict switchport port-security aging time 10 switchport port-security aging type inactivity switchport port-security storm-control broadcast level 2.50 1.00 spanning-tree portfast spanning-tree bpduguard enable ! ! interface GigabitEthernet3/0/2 description ===> leased line Eth1 <=== switchport trunk allowed vlan 16,20,28,40,162,282,302,311,402 switchport mode trunk storm-control broadcast level 2.50 1.00 spanning-tree portfast ! ! interface Vlan1 no ip address shutdown ! interface Vlan2 description Sapphire Internet no ip address ! interface Vlan16 description S-Data no ip address ! interface Vlan20 description S-Voice no ip address ! interface Vlan28 description S-Mgmt no ip address ! interface Vlan30 description S-Guest no ip address ! interface Vlan40 description S-CCTV no ip address ! interface Vlan202 description L-Voice no ip address ! interface Vlan282 description L-Mgmt ip address 172.28.2.10 255.255.255.0 ip helper-address 172.28.2.9 ! interface Vlan302 description L-Guest no ip address ip helper-address 172.30.2.9 ! interface Vlan311 description Intenal-DMZ no ip address ! interface Vlan332 no ip address ip helper-address 192.168.10.251 ! interface Vlan402 description L-CCTV no ip address ! ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 172.28.2.1 ip ssh rsa keypair-name ssh ip ssh version 2 ! ! ! access-list 28 permit 172.28.2.0 0.0.0.255 ! ! banner motd ^C ### ^C ! line con 0 exec-timeout 0 0 privilege level 15 password 7 ### stopbits 1 line aux 0 no exec transport output none stopbits 1 line vty 0 4 privilege level 0 password 7 ### transport preferred ssh transport input ssh transport output ssh line vty 5 15 ! wsma agent exec profile httplistener profile httpslistener ! wsma agent config profile httplistener profile httpslistener ! wsma agent filesys profile httplistener profile httpslistener ! wsma agent notify profile httplistener profile httpslistener ! ! wsma profile listener httplistener transport http ! wsma profile listener httpslistener transport https ! ap group default-group end

I know LLDP is working as

Show lldp will output a list of connected IP phones on both SWITCH1 and SWITCH2

Georg Pauwen · ‎05-29-2018

Hello,

my first thought is to disable cdp (no cdp enable) on the ports where the Digium phones are connected. Cisco IP phones use CDP, Digium don't as dar as I recall...

Can you post the config of one of the switchports ?

llitteamll · ‎05-29-2018

Sure Georg,

phones are respectively connected to:

SWITCH1

!

interface GigabitEthernet1/0/19

switchport access vlan 16

switchport trunk allowed vlan 16,20

switchport mode trunk

switchport voice vlan 20

switchport port-security maximum 10

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

storm-control broadcast level 2.50 1.00

spanning-tree portfast

spanning-tree bpduguard enable

!

SWITCH2

!

interface GigabitEthernet2/0/7

description ===> office 2 <===

switchport access vlan 162

switchport trunk native vlan 162

switchport trunk allowed vlan 20,162

switchport mode trunk

switchport voice vlan 20

switchport port-security maximum 10

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

storm-control broadcast level 2.50 1.00

spanning-tree portfast

spanning-tree bpduguard enable

!

I highlight, everything works as expected with phone and host connected to SWITCH1, problem is on SWITCH2, IP phones doesn't pass DHCP to host, it end with autoconfig IP

thanks

Georg Pauwen · ‎05-29-2018

Hello,

on Switch 2. the native Vlan is 162, on Switch 1, it is the default, Vlan 1.

Try and remove the 'switchport trunk native vlan 162' from the ports on switch 2.

--> no switchport trunk native vlan 162