Powering the IP Phone with a Power Brick
Using a power brick to power a device is so simple that it warrants only brief mention.
Thus, the reason for this section is primarily to mention that most Cisco IP Phones do not
ship with power supplies. Cisco assumes most VoIP network deployments use PoE. If you
have to choose between purchasing power bricks and upgrading your switch infrastructure,
it’s wise to check the prices of the power bricks. The average Cisco IP Phone power
brick price is between $30–$40 USD. When pricing out a 48-switchport deployment, purchasing
power bricks for all the IP phones may very well be in the same price range as upgrading
the switch infrastructure.
Note: Some devices exceed the power capabilities of the 802.3af PoE standard. For
example, when you add a sidecar module to a Cisco IP Phone (typically to support more
line buttons), PoE connections can no longer support the device. These devices will need a
power brick adapter.
VLAN Concepts and Configuration
After the IP phone has received power, it must determine its VLAN assignment. Because
of security risks associated with having data and voice devices on the same network,
Cisco recommends isolating IP phones in VLANs dedicated to voice devices. To understand
how to implement this recommendation, let’s first review a few key VLAN concepts.
VLAN Review
When VLANs were introduced a number of years ago, the concept was so radical and
beneficial that it was immediately adopted into the industry. Nowadays, it is rare to find
any reasonably sized network that is not using VLANs in some way.VLANs allow you to break up switched environments into multiple broadcast domains.
Here is the basic summary of a VLAN:
A VLAN = A Broadcast Domain = An IP Subnet
There are many benefits to using VLANs in an organization, some of which include the
following:
■ Increased performance: By reducing the size of the broadcast domain, network
devices run more efficiently.
■ Improved manageability: The division of the network into logical groups of users,
applications, or servers allows you to understand and manage the network better.
■ Physical topology independence: VLANs allow you to group users regardless of
their physical location in the campus network. If departments grow or relocate to a
new area of the network, you can simply change the VLAN on their new ports without
making any physical network changes.
■ Increased security: A VLAN boundary marks the end of a logical subnet. To reach
other subnets (VLANs), you must pass through a routed (Layer 3) device. Any time
you send traffic through a router, you have the opportunity to add filtering options
(such as access lists) and other security measures.
VLAN Trunking/Tagging
VLANs are able to transcend individual switches, as shown in Figure 3-4.
If a member of VLAN_GRAY sends a broadcast message, it goes to all VLAN_GRAY
ports on both switches. The same holds true for VLAN_WHITE. To accommodate this,
the connection between the switches must carry traffic for multiple VLANs. This type of
port is known as a trunk port.
Trunk ports are often called tagged ports because the switches send frames between each
other with a VLAN “tag” in place. Figure 3-5 illustrates the following process:
1. HostA (in VLAN_GRAY) wants to send data to HostD (also in VLAN_GRAY).
HostA transmits the data to SwitchA.
2. SwitchA receives the data and realizes that HostD is available through the FastEthernet
0/24 port (because HostD’s MAC address has been learned on this port). Because
FastEthernet 0/24 is configured as a trunk port, SwitchA puts the VLAN_GRAY tag
in the IP header and sends the frame to SwitchB.
3. SwitchB processes the VLAN_GRAY tag because the FastEthernet 0/24 port is configured
as a trunk. Before sending the frame to HostD, the VLAN_GRAY tag is removed
from the header.
4. The tagless frame is sent to HostD.
58 CCNA Voice 640-461 Official Cert Guide
Using this process, the PC never knows what VLAN it belongs to. The VLAN tag is applied
when the incoming frame crosses a trunk port. The VLAN tag is removed when exiting
the port to the destination PC. Always keep in mind that VLANs are a switching
concept; the PCs never participate in the VLAN tagging process.
VLANs are not a Cisco-only technology. Just about all managed switch vendors support
VLANs. In order for VLANs to operate in a mixed-vendor environment, a common trunking
or “tagging” language must exist between them. This language is known as 802.1Q. All
vendors design their switches to recognize and understand the 802.1Q tag, which is what
allows us to trunk between switches in any environment.
Understanding Voice VLANs
It is a common and recommended practice to separate voice and data traffic by using
VLANs. There are already easy-to-use applications available, such as Wireshark and Voice
Over Misconfigured Internet Telephones (VOMIT), that allow intruders to capture voice
conversations on the network and convert them into WAV data files. Separating voice and
data traffic using VLANs provides a solid security boundary, preventing data applications
from reaching the voice traffic. It also gives you a simpler method to deploy QoS, prioritizing
the voice traffic over the data.
One initial difficulty you can encounter when separating voice and data traffic is the fact
that PCs are often connected to the network using the Ethernet port on the back of a
Cisco IP Phone. Because you can assign a switchport to only a single VLAN, it initially
seems impossible to separate voice and data traffic. That is, until you see that Cisco IP
Phones support 802.1Q tagging.
The switch built into Cisco IP Phones has much of the same hardware that exists inside of
a full Cisco switch. The incoming switchport is able to receive and send 802.1Q tagged
packets. This gives you the capability to establish a type of trunk connection between the Cisco switch and IP phone, as shown in Figure
Sure enough, VLANs 10 (VOICE) and 50 (DATA) now appear as valid VLANs on the
switch. Now that the VLANs exist, you can assign the ports attaching to Cisco IP Phones
(with PCs connected to the IP Phone) to the VLANs, as shown in Example 3-2.
Example 3-2 Assigning Voice and Data VLANs
Note: When connecting Cisco IP Phones to a switch, you should also enable portfast
(using spanning-tree portfast, as shown in Example 3-2), because the IP phones boot
quickly and request a DHCP assigned address before a typical port with spanning-tree
enabled would go active. Also, keep in mind that port Fa0/1 does not appear in the
Example 3-2 output because it is configured as a trunk port (ports 2–24 are not considered
trunks by Cisco IOS).
The ports are now configured to support a voice VLAN of 10 and a data VLAN of 50.
This syntax is a newer form of configuration for IP Phone connections. In the “old days,”
you would configure the interface as a trunk port because the switch was establishing a
trunking relationship between it and the IP phone. This was less secure because a hacker
could remove the IP phone from the switchport and attach their own device (another managed
Switch#configure terminal
Switch(config)#interface range fa0/2 - 24
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#spanning-tree portfast
Switch(config-if-range)#switchport access vlan 50
Switch(config-if-range)#switchport voice vlan 10
Switch(config-if-range)#end
Switch#show vlan brief
VLAN Name Status Ports
—— ———————————————— ————- ———————————————-
1 default active Gi0/1, Gi0/2
10 VOICE active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
50 DATA active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
No comments:
Post a Comment