• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

VoIP VLAN Security setting

P

pcunite

Senior member
I have a 3Com Baseline Switch 2916-SFP Plus (basically a HP V1910-16G JE005A) and have it set to do automatic voice VLAN assignment. I can see the ports that have IP phones connected to them showing up as Tagged.

However, I can still ping the phone (and access it's web interface) from a PC connected on another port. I thought they we would be unreachable if Voice VLAN Port Security is enabled?

The port the phone is connected to shows up as untagged in VLAN1 and Tagged in VLAN2 ... so it is a hybrid port ... which is what I want.
 
Last edited:
Assuming the phone is in vlan 2, the only way you could be pinging it is if you had a device that is bridging or routing the vlans. Try tracert and see what device is linking the 2 networks. The port security generally doesn't control access like this, it is designed to allow only authorized devices, typically fed from a RADIUS server somewhere.

Also what are the IP's and masks for the devices.
 
Last edited:
LAN Setup:
  • IPCop Linux box providing DHCP/DNS/default gateway, etc. to WAN.
  • Multiple PC's
  • VoIP phones
  • The DHCP server hands out 192.168.0.x to everything

Everything is connected to the 3Com switch. Tracert is therefore one hop. I'm new to VLAN. I'm only wanting the 3Com switch to prioritize VoIP traffic. I just assumed I could not ping the phones.

The port the phone is connected to seems to be in both VLANs. Is something incorrect?
 
Last edited:
I think I'm doing what this person is doing, I just did not realize it. It is called VLAN tagging. The switch recognizes the MAC address and puts that traffic automatically in VLAN2.

My question was, when I enable an option called port security which states:
Voice VLAN Port Security — Indicates if port security is enabled on
the Voice VLAN. Port Security ensures that packets arriving with an
unrecognized MAC address are dropped.

I thought the PC could not ping it (or access the webserver in the phone) ... but it can. Am I properly segmenting the voice and data networks? I'm not concerned about LAN security, just QoS (priority) VoIP traffic shaping.
 
Last edited:
Port security only works on ingress. blocking unknown MAC addresses based on a system like RADIUS. It by itself doesn't isolate the network. Most switches now support voice vlans which is just automated vlan selection.

Since everything you have is in the same subnet going to the same router, it would indicate the vlans are simply bridged (or not activating) and they are able to ping each other.

Does the switch port status show the phones are in vlan 2? If so you should be able to QoS based on the vlan.
 
imagoon said:
Does the switch port status show the phones are in vlan 2? If so you should be able to QoS based on the vlan.
Click to expand...

Yes, when I restarted the phones, it placed them in VLAN2 and each port they are connected to shows up as "Tagged membership" now.

As you stated, everything is on the same subnet. The switch is placing things in different VLAN, however. The benefit for me, I guess, is that when a phone starts sending or receiving packets, the switch will Qos that traffic.

Since they are on the same subnet, the phone have to answer NetBIOS broadcasts and other chatter?
 
pcunite said:
Yes, when I restarted the phones, it placed them in VLAN2 and each port they are connected to shows up as "Tagged membership" now.

As you stated, everything is on the same subnet. The switch is placing things in different VLAN, however. The benefit for me, I guess, is that when a phone starts sending or receiving packets, the switch will Qos that traffic.

Since they are on the same subnet, the phone have to answer NetBIOS broadcasts and other chatter?
Click to expand...

Generally yes. Assuming the vlans are not bridged by the router, they are logically 2 broadcast domains for layer 2. They are still in the same Layer 3 broadcast domain however. I would either guess the router is bridging the network or handling at least proxy arp because splitting layer 2 while having the same layer 3 typically causes some very odd issues. I would suspect if you traced in to vlan2 you would see vlan1 arp traffic. This can be "fine" as long as you have the switch and router QoS on the vlan boundary.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top