Switches, Hubs, and Modems
1748156 Members
4029 Online
108758 Solutions
New Discussion юеВ

Re: Default VLAN Native VLAN 2824 DHCP

 
js11
New Member

Default VLAN Native VLAN 2824 DHCP

At present I use a combination of HP 2824's and HP 2626's (for PoE VOIP) and have a PIX 515E as a router & firewall to the internet.

At present all LAN traffic is on the Default_VLAN 1

I want to seperate my data and my VOIP traffic using two VLANs and using my PIX to route between the two VLANs

The phone system I have is an Avaya IP Office.

I have PCs plugged into the internal switches on my VOIP phones.

I plan to have two DHCP servers, one for each VLAN, which is fine.

Firstly what I need to know is, when a PC which is plugged into a phone (all set to use DHCP) boots up, how does it know which VLAN to get it's address from. (the switch port would be tagged with both VLAN IDs)
Would it use the default vlan first? or, would it use the primary vlan first? or, can you force it to look at one specfic VLAN?

The way I plan for my phones to get there IP (again all phones set to DHCP) would be to use the same method, on my 'default dhcp server i can then specify the second dhcp server on the other vlan. i think that should be fine.

The next issue i have is with the DefaultLAN or Native LAN (in cisco speak)
After reading documentation on the PIX 515, they advise against using the default (or in cisco speak native) VLAN for fear of a "jumping VLANs" attack, quoting from the text.
"for maximum security, we recomend avoiding the use of native VLANs altogether when deploying VLANs in a secure environment"
This would then mean i could not use the default lan for the PCs o get their IP addresses. So what do I do here? Any ideas?

I have had a rake through the forum already, but, can't quite get the answer i need.

Looking forward to your replies folks,
all help gratefully recieved!

J
8 REPLIES 8
cenk sasmaztin
Honored Contributor

Re: Default VLAN Native VLAN 2824 DHCP

hi

I make new config for you

please send me 2824 ,2626 sh run print

cenk
cenk

js11
New Member

Re: Default VLAN Native VLAN 2824 DHCP

Thanks for the reply.

Would it be possible to get just the explanation? I really want to get my head round it.
The config is just out of the box really.

Thanks in advance
J
Pieter 't Hart
Honored Contributor

Re: Default VLAN Native VLAN 2824 DHCP

default-vlan and native vlan are not the same! and i do't think cisco uses this differently then others.

The default-vlan is the vlan that exists when no other vlans are created yet (blank config).

Native vlan is an indication on how the port treats packets with NO vlan-tag. It is considered incomming on the native vlan, internally the vlan tag is added and the packet is propagated to other ports in this vlan. Outgoing packets from the native vlan to a port have their tag stripped and sent untagged to the connected device.
So Cisco "native" corresponds to "untagged".

In a default (out-of-the-box) configuration Every port is member of this default vlan and traffic is possible between all ports. Normally this is vlan -1.
Both default-vlan and untagged/native vlan corrspond to vlan-id: "1".
cenk sasmaztin
Honored Contributor

Re: Default VLAN Native VLAN 2824 DHCP

hi

for local network security protect default vlan

default vlan must be only for switch managemet not reside user or server in vlan1

you can create new vlan (instead vlan1)and you can use vlan1 only managemet with managemet vlan 1 commad


cenk
cenk

js11
New Member

Re: Default VLAN Native VLAN 2824 DHCP

Aha I see.

I was looking for clarification between the default and native VLAN, thanks for that.

So.. based on what you have said.
Would this work.

Data VLAN 10
Voice VLAN 30
Make VLAN 10 the native VLAN.

In the phone plus PC plugged in to phone switch example.
On the phone/PC port, would I need to have the port tagged with VLAN IDs 10 & 30 ? or just leave untagged?
(note this switch which is has the phone & PC attached would then be connected to a core 2824 switch, with the connection between the two switches tagged with 10 & 30 - yes?)

Thanks in advance again
This is great
J
Pieter 't Hart
Honored Contributor

Re: Default VLAN Native VLAN 2824 DHCP

As far as i know, you can only assign one untagged vlan to a port!
All other vlans must pass with vlan-tag, else the switch cannot decide wich vlan to propagate to.

So you can pass both vlans tagged to a port, or one tagged and one untagged.

At least one of the connected devices must also recognize these vlan-tags the other can communicate through the native/untagged vlan.
Thus either the ip-phone or the networkdriver of the workstation must be able to handle the vlan-tags.
Most client network-cards cannot handle multiple vlans (some server cards do).
also this may need additional software (cisco secure client; NAP/NAC?) to solve this at the workstation side.

I have no real experience with ip-phone/procurve; i do have with cisco/pix.
So i can only suggest a direction.
I think the phone config would be the best place to start.
In the phone configure the data-vlan untagged and the voice-vlan tagged.
using the network-port of the phone for "pass-through" of the untagged workstation packets.

At the procurve port that connects the pix configure both vlan's tagged.
at the pix configure two subinterfaces each for its own vlan so the pix only processes packets with the right vlan tag and ignores untagged packets.

regards,
Pieter
Jeff Carrell
Honored Contributor

Re: Default VLAN Native VLAN 2824 DHCP

to simplify the info, when using VoIP phones and computers connected to them into a single switch port:

1) tag the switch port in the voice vlan

2) untag the port in the data vlan

3) good practice is to not use the "default-vlan" for any production traffic, including managing the switch...

4) you can use the data vlan to manage the switch, as long as it has its ip addr in the data vlan...


most VoIP phones can either be manually configured for its traffic to be tagged or be in its download config file...and generally at the phone, the data port's traffic cannot be configured, it will be untag (some phones can, some phones can't - i don't know about the avaya for sure)...and as pieter said if you set the port tag in the data vlan, the pc has to be configured same, and that's generally too much work...

definition clarifications:

802.1Q tagged = cisco trunk
untagged = cisco access port

a port can only be untagged at most once, and can be tagged as many times as vlans are available on the switch...

also, a port always has to have a home - meaning untag or tag in a minimum of one vlan...


and btw, the 2-port interface on almost all VoIP phones is not really a switch...its better than a hub, but it is generally not a "fully configurable" switch like the procurve or cisco's, etc...

hth...jeff
Matt Axton
Occasional Advisor

Re: Default VLAN Native VLAN 2824 DHCP

As far as I am aware you can use any designated vlan you choose, it doesn't have to be tied to a specific vlan...

It is a two step process...

When the phone boots up it hits the DHCP server and leases any address it can, if you want to force the phone on to a particular vlan then you need to put in an additional DHCP option (174) and configure this string for stuff like tftp server, QVLAN_ID etc etc. If the phone finds the 174 string it reboots and sets its vlan to that specific vlan.

Step 2
When the pc starts up and gets an IP address through the phone it picks an address from either a valid DHCP server on that vlan or via the ip helper-address on the switch.

The IP helper-address statement needs to sit in each vlan so it can send the dhcp requests to the specific server.

Hope that is a bit clearer...

Regards
Matt