Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
4
Replies

VoIP Server behind a 100/10 fa0/1 cisco 2960 switch?

Go to solution
bradfordjboyle
Level 1
Level 1

‎05-17-2016 08:28 PM - edited ‎03-08-2019 05:48 AM

Hi All,

 I hope I am in the right place, and thank you in advance for guidance.  The true network config has been modified for security.

I have a hub and spoke network with 1 hub and 5 spokes.  We are using Fortigate 90D and 60Ds at all endpoints.  On the internal data interface, I've assigned each office a class C subnet.  Also, on each of the internal interfaces, I've chopped up 192.168.7.0/24 into subnets under each location for VoIP and assigned each VLAN 100

Loc 1 FWF-90D: 192.168.1.0/24    with VLAN 100  192.168.7.0/26 underneath

Loc 2 FWF-90D: 192.168.2.0/24    with VLAN 100  192.168.7.64/27 underneath

Loc 3 FWF-60D: 192.168.3.0/24    with VLAN 100  192.168.7.96/28 underneath

Loc 4 FWF-60D: 192.168.4.0/24    with VLAN 100  192.168.7.112/28 underneath

Loc 5 FWF-60D: 192.168.5.0/24    with VLAN 100  192.168.7.128/28 underneath

Loc 6 FWF-60D: 192.168.6.0/24    with VLAN 100  192.168.7.144/28 underneath

Each Loc 2-6 has a ipsec vpn back to Loc 1 where a Samsung OS 7400 phone system sits servicing 100 non-cisco Samsung VoIP phones. 

Under each Fortigate are cisco 2960 POE switches set up for VLAN 100 voice traffic and untagged data traffic through SmartPorts GUI.

Each phone powers up grabs its respective VoIP IP and can connect back to the VoIP server.  Testing pings from VoIP server to VoIP server are under 100ms.

However, any external call made to an internal user is spotty and choppy to that internal user.  And, calls made out, is choppy to the internal user, but still remains clear to the external user. Meanwhile, the external caller can hear the internal phone user just fine.  Inter-office calls are choppy as well.  In summary, it's always one way:  External can hear, internal cannot.  This is across all spokes, some more noticeable than others due number of phones.  Some users say it sounds like 3-way calling coming in, others says it's choppy, so I'm going with some sort of packet loss.

As a result, I've taken the phones and bypassed the switches, but choppiness still occurs so I am blaming the ISP (Comcast), the Fortinet configurations or possibly the way I have the VoIP server plugged into the network.

Despite some poor findings with Comcast online, It doesn't make sense that I can hear that internal person just fine, but I am choppy to them, so I can't ethically blame Comcast since one way seems to be working just fine.

As for Fortinet, I have already disabled auto-asic-offload on the policies and npu-offload on the vpn tunnels.  Configured traffic shaping to guarantee bandwidth as well as placing the policies at the top.  Things have improved slightly, but the choppiness is still noticeable.  I am about ready to tear down the entire zone set up at the spoke and rebuild each site and policy.  I am also currently looking into disabling SIP Helper, but then I wanted to try something first.

I wanted to take the VoIP server off the VLAN 100 switch, change it to a data IP, plug it directly to the back of the fortigate and just do a policy from the spoke VoIP phone networks to the VoIP Server on the data network.

As we are planning to do this, I realized that I forced a vlan 100 tag on the switch ports where the VoIP server is, as a PC (through the GUI).  I feel like something is not right here.  By setting it as a PC, it's in mode access with vlan 100, not voice vlan 100.  Thoughts on this?

And although there are 100 phones across the network, the other part of the removal was for the potential bottlenecking since ports 1-24 on these models are 10/100 with trunks 10/100/1000. 

May I ask, should the VoIP server be plugged into the same switch as the other devices?  Since I cannot tag traffic off the VoIP Server itself, am I doing it right by selecting PC and tagging it with VLAN 100 so it "hops" on the same vlan as all the other VoIP devices? 

I feel like I want to tag it as just a PHONE, but PHONE is not an option by itself in the SmartPorts config on the cisco switch, just Phone + PC or PC by itself, plus switch, router, etc.I just feel like something is not right here.

As a result,  If it's plugged in to the switch, incorrectly, should I re-IP it do a data network and plug it directly into the back of the fortigate bypassing the switch and tagging?  Since it's a 10/100/1000 firewall/router/switch, I would then take my VoIP networks across my VPN tunnels and 1 local VoIP network and create a policy to give it access to the VoIP Server that's now on the data network.

Thanks ALL!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to bradfordjboyle

‎05-20-2016 12:11 AM

Hi

usually from what I have seen the voice vlan has the pbx and the phones on it same vlan

On the pbx port can you not set it as switchport access voice vlan 100

Then prioritize the voice at layer 2 should help as well , mls qos trust dscp on access and uplinks just make sure the Samsung phones mark EF packets at the source with value of DSCP 46 , if not mark at source port the cos/dscp value , if the Samsung phones only support cos at source mark it as trust cos or cos 5 but still use dscp on the uuplink , the dscp is better if its supported everywhere

This may help than a complete redesign , as well make sure your not over utilizing the vpn, voice on vpn can have issues due to the overhead in IPsec, qos pre-classify under the IPsec crypto will help carry the trusted markings through the tunnel

voice ports should use the recommended config voice vlan command if possible

interface FastEthernet0/1
switchport access vlan x (data vlan)
switchport mode access

switchport voice vlan 100

mls qos trust dscp ---enable layer 2 qos to trust the EF markings for rtp traffic
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bradfordjboyle
Level 1
Level 1

‎05-17-2016 09:29 PM

Am I describing setting my fa0/1 port to trunk mode then setting my native vlan to 100?  Wouldn't that be similar to setting to static access-port to vlan 100 as well, which I am doing.  I believe I am looking for the static-access port on vlan 100 + the voice VLAN priority.  Thanks again all.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to bradfordjboyle

‎05-20-2016 12:11 AM

Hi

usually from what I have seen the voice vlan has the pbx and the phones on it same vlan

On the pbx port can you not set it as switchport access voice vlan 100

Then prioritize the voice at layer 2 should help as well , mls qos trust dscp on access and uplinks just make sure the Samsung phones mark EF packets at the source with value of DSCP 46 , if not mark at source port the cos/dscp value , if the Samsung phones only support cos at source mark it as trust cos or cos 5 but still use dscp on the uuplink , the dscp is better if its supported everywhere

This may help than a complete redesign , as well make sure your not over utilizing the vpn, voice on vpn can have issues due to the overhead in IPsec, qos pre-classify under the IPsec crypto will help carry the trusted markings through the tunnel

voice ports should use the recommended config voice vlan command if possible

interface FastEthernet0/1
switchport access vlan x (data vlan)
switchport mode access

switchport voice vlan 100

mls qos trust dscp ---enable layer 2 qos to trust the EF markings for rtp traffic
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable

0 Helpful

Go to solution
bradfordjboyle
Level 1
Level 1
In response to Mark Malone

‎05-24-2016 09:27 AM

Mark,

 Thank you very much for your time answering my question.   We have placed a number of changes in our change control queue.  We are currently waiting on Comcast to swap out all their business wireless gateway modems after discovering their hardware might be the issue.  I'll provide feedback as soon as I can, but I want to thank you again for your time and advice.

http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/COMCAST-Serious-Problems-with-all-Netgear-CG3000DCR-Gateway/td-p/5400

0 Helpful

Go to solution
bradfordjboyle
Level 1
Level 1

‎05-19-2016 02:13 PM

My first port, which is a PBX, that I need on VLAN 100, but also priortizing the traffic as if it's a VoIP phone.

interface FastEthernet0/1
switchport access vlan 100
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card