- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Default VLAN Native VLAN 2824 DHCP
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-03-2008 11:57 AM
тАО08-03-2008 11:57 AM
Default VLAN Native VLAN 2824 DHCP
At present all LAN traffic is on the Default_VLAN 1
I want to seperate my data and my VOIP traffic using two VLANs and using my PIX to route between the two VLANs
The phone system I have is an Avaya IP Office.
I have PCs plugged into the internal switches on my VOIP phones.
I plan to have two DHCP servers, one for each VLAN, which is fine.
Firstly what I need to know is, when a PC which is plugged into a phone (all set to use DHCP) boots up, how does it know which VLAN to get it's address from. (the switch port would be tagged with both VLAN IDs)
Would it use the default vlan first? or, would it use the primary vlan first? or, can you force it to look at one specfic VLAN?
The way I plan for my phones to get there IP (again all phones set to DHCP) would be to use the same method, on my 'default dhcp server i can then specify the second dhcp server on the other vlan. i think that should be fine.
The next issue i have is with the DefaultLAN or Native LAN (in cisco speak)
After reading documentation on the PIX 515, they advise against using the default (or in cisco speak native) VLAN for fear of a "jumping VLANs" attack, quoting from the text.
"for maximum security, we recomend avoiding the use of native VLANs altogether when deploying VLANs in a secure environment"
This would then mean i could not use the default lan for the PCs o get their IP addresses. So what do I do here? Any ideas?
I have had a rake through the forum already, but, can't quite get the answer i need.
Looking forward to your replies folks,
all help gratefully recieved!
J
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 12:23 AM
тАО08-04-2008 12:23 AM
Re: Default VLAN Native VLAN 2824 DHCP
I make new config for you
please send me 2824 ,2626 sh run print
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 01:17 AM
тАО08-04-2008 01:17 AM
Re: Default VLAN Native VLAN 2824 DHCP
Would it be possible to get just the explanation? I really want to get my head round it.
The config is just out of the box really.
Thanks in advance
J
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 01:31 AM
тАО08-04-2008 01:31 AM
Re: Default VLAN Native VLAN 2824 DHCP
The default-vlan is the vlan that exists when no other vlans are created yet (blank config).
Native vlan is an indication on how the port treats packets with NO vlan-tag. It is considered incomming on the native vlan, internally the vlan tag is added and the packet is propagated to other ports in this vlan. Outgoing packets from the native vlan to a port have their tag stripped and sent untagged to the connected device.
So Cisco "native" corresponds to "untagged".
In a default (out-of-the-box) configuration Every port is member of this default vlan and traffic is possible between all ports. Normally this is vlan -1.
Both default-vlan and untagged/native vlan corrspond to vlan-id: "1".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 01:49 AM
тАО08-04-2008 01:49 AM
Re: Default VLAN Native VLAN 2824 DHCP
for local network security protect default vlan
default vlan must be only for switch managemet not reside user or server in vlan1
you can create new vlan (instead vlan1)and you can use vlan1 only managemet with managemet vlan 1 commad
cenk
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 02:03 AM
тАО08-04-2008 02:03 AM
Re: Default VLAN Native VLAN 2824 DHCP
I was looking for clarification between the default and native VLAN, thanks for that.
So.. based on what you have said.
Would this work.
Data VLAN 10
Voice VLAN 30
Make VLAN 10 the native VLAN.
In the phone plus PC plugged in to phone switch example.
On the phone/PC port, would I need to have the port tagged with VLAN IDs 10 & 30 ? or just leave untagged?
(note this switch which is has the phone & PC attached would then be connected to a core 2824 switch, with the connection between the two switches tagged with 10 & 30 - yes?)
Thanks in advance again
This is great
J
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 03:07 AM
тАО08-04-2008 03:07 AM
Re: Default VLAN Native VLAN 2824 DHCP
All other vlans must pass with vlan-tag, else the switch cannot decide wich vlan to propagate to.
So you can pass both vlans tagged to a port, or one tagged and one untagged.
At least one of the connected devices must also recognize these vlan-tags the other can communicate through the native/untagged vlan.
Thus either the ip-phone or the networkdriver of the workstation must be able to handle the vlan-tags.
Most client network-cards cannot handle multiple vlans (some server cards do).
also this may need additional software (cisco secure client; NAP/NAC?) to solve this at the workstation side.
I have no real experience with ip-phone/procurve; i do have with cisco/pix.
So i can only suggest a direction.
I think the phone config would be the best place to start.
In the phone configure the data-vlan untagged and the voice-vlan tagged.
using the network-port of the phone for "pass-through" of the untagged workstation packets.
At the procurve port that connects the pix configure both vlan's tagged.
at the pix configure two subinterfaces each for its own vlan so the pix only processes packets with the right vlan tag and ignores untagged packets.
regards,
Pieter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 04:35 AM
тАО08-04-2008 04:35 AM
Re: Default VLAN Native VLAN 2824 DHCP
1) tag the switch port in the voice vlan
2) untag the port in the data vlan
3) good practice is to not use the "default-vlan" for any production traffic, including managing the switch...
4) you can use the data vlan to manage the switch, as long as it has its ip addr in the data vlan...
most VoIP phones can either be manually configured for its traffic to be tagged or be in its download config file...and generally at the phone, the data port's traffic cannot be configured, it will be untag (some phones can, some phones can't - i don't know about the avaya for sure)...and as pieter said if you set the port tag in the data vlan, the pc has to be configured same, and that's generally too much work...
definition clarifications:
802.1Q tagged = cisco trunk
untagged = cisco access port
a port can only be untagged at most once, and can be tagged as many times as vlans are available on the switch...
also, a port always has to have a home - meaning untag or tag in a minimum of one vlan...
and btw, the 2-port interface on almost all VoIP phones is not really a switch...its better than a hub, but it is generally not a "fully configurable" switch like the procurve or cisco's, etc...
hth...jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2008 06:36 AM
тАО08-04-2008 06:36 AM
Re: Default VLAN Native VLAN 2824 DHCP
It is a two step process...
When the phone boots up it hits the DHCP server and leases any address it can, if you want to force the phone on to a particular vlan then you need to put in an additional DHCP option (174) and configure this string for stuff like tftp server, QVLAN_ID etc etc. If the phone finds the 174 string it reboots and sets its vlan to that specific vlan.
Step 2
When the pc starts up and gets an IP address through the phone it picks an address from either a valid DHCP server on that vlan or via the ip helper-address on the switch.
The IP helper-address statement needs to sit in each vlan so it can send the dhcp requests to the specific server.
Hope that is a bit clearer...
Regards
Matt