We have multiple interfaces currently configured with the below on our Cisco 3750x switch.
interface GigabitEthernet1/0/21
switchport access vlan 4
switchport trunk encapsulation dot1q
switchport mode access
switchport voice vlan 3
spanning-tree portfast
Connected to these interfaces is a Shoretel phone and there is a port from the Shoretel phone that connects to a laptop or desktop. Our workstation VLAN is VLAN 4 and our Voice VLAN is VLAN 3 as you can see above. We are running DHCP pools within our switch which has the option 156 associated so that the phone will know what VLAN to pickup.
ip dhcp pool VOICE
network 10.7.8.0 255.255.248.0
option 4 ip 192.168.32.215
default-router 10.7.8.1
dns-server 10.7.0.101 192.168.30.205
domain-name --omitted--
option 156 ascii "ftpservers=10.7.8.9,layer2tagging=1,vlanid=3"
lease 0 1
!
Questions:
What is the point of switchport trunk encapsulation dot1q within the interface configuration?
Also, is spanning-tree portfast really needed? We are not running spanning tree on our switch.
Why separate access and voice vlan? What is the purpose?
Best Answer
802.1Q tagging allows you to run multiple VLANs over a single, physical link. With phones, often the normal PC client VLAN remains untagged (
access VLAN) while the VoIP VLAN is tagged.Using a DHCP vendor option to tell the phones to use tagged VLAN x is a good method to avoid configuring each phone manually. You should consider to limit this option to phones though (by MAC filter or vendor class), so a potential attacker has a harder time figuring out which VLAN to enter.
"Best practice" for my company is to not use the phone-integrated switches productively but run separate cables to the phones and the PC clients. The phone "through" port remains active as spare access to the client access VLAN.
The
switchport trunk encapsulation dot1qenables 802.1Q tagging on the switch port.spanning-tree portfastisn't really required but significantly decreases the delay between the port's physical link "up" and actual forwarding. STP port states usually delay forwarding until the port role has become clear.portfaststarts forwarding immediately and still uses STP to discover redundant links, avoiding bridge loops.Separate access and voice VLANs have several purposes. For one, separating the device types allows you to more easily prioritize voice traffic, so network congestion has no or less impact on VoIP. Additionally, separating traffic hinders listening in to the (mostly) unencrypted VoIP traffic or attacking the phones directly. When combined with port-level authentication (e.g. 802.1X or MACSEC) or similar measures this can be rather secure.