1

I followed instructions listed here --> https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-Utilizing-VLAN-s-with-Polycom-phones/td-p/38100. But came up short.

So I have computers (VLAN 1) and these patch into the bottom of Polycom VVX phones, which I wish to separate into VLAN 11.

I disabled CDP and LLDP on the Cisco SG300-28PP switch. And I defined VLAN 11, and added it as an allowed trunk to all interfaces on the Cisco SG300-28PP switch. I also disabled these two protocols on the Polycom VVX's. I enabled a fixed discovery for Option 128 on the Polycom VVX's. I added the Option 128 for VLAN-A=11; on the DHCP server (in this case a Windows 2012 R2 box). While the computers are networked fine via VLAN 1, the phones wouldn't grab a DHCP address as part of the VLAN 11 network.

The two networks come from the Cisco SG300-28PP into a Cisco ASA 5505, one interface for VLAN 1 and another interface for VLAN 11. I have DHCP Relay setup on the Cisco ASA 5505 so that requests coming in from VLAN 11 (10.4.4.0/24) are forwarded to 10.0.4.5 on VLAN 1 (10.0.4.0/24).

Below is the switch config. Along with a snippet from the ASA config, and a screen shot of the DHCP scope that's defined. Any ideas what I could be missing?

Switch:

config-file-header
switchae111f
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch 

file SSD indicator plaintext
@
no cdp run 
vlan database
vlan 11 
exit
voice vlan id 11 
voice vlan state disabled 
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no lldp run 
hostname switchae111f
management access-list All
permit 
exit
management access-list SSH
permit service ssh 
exit
management access-class All
username cisco password encrypted ------ privilege 15 
ip ssh server
ip ssh password-auth 
ip ssh-client server authentication 
clock timezone " " -5
clock summer-time web recurring usa 
clock source sntp
clock source browser
sntp unicast client enable
sntp unicast client poll
sntp server 10.0.4.5 
clock dhcp timezone
!
interface vlan 11
 name voip 
!
interface gigabitethernet1
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet2
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet3
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet4
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet5
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet6
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet7
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet8
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet9
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet10
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet11
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet12
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet13
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet14
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet15
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet16
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet17
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet18
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet19
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet20
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet21
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet22
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet23
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet24
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet25
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet26
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet27
 switchport trunk allowed vlan add 11 
!
interface gigabitethernet28
 switchport trunk allowed vlan add 11 
!
exit
no macro auto processing cdp 
no macro auto processing lldp 
ip ssh-client key rsa key-pair

ASA: 

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 11
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.4.1 255.255.255.0 
!
interface Vlan2
 description time-warner-bc-static
 nameif outside
 security-level 0
 ip address 74.143.200.234 255.255.255.248 
!
interface Vlan11
 nameif voip
 security-level 100
 ip address 10.4.4.1 255.255.255.0 
!
interface Vlan12
 description Cisco RV110W VPN Firewall
 nameif wireless
 security-level 99
 ip address 192.168.100.1 255.255.255.0 
!

same-security-traffic permit inter-interface

!
dhcprelay server 10.0.4.5 inside
dhcprelay enable wireless
dhcprelay enable voip
dhcprelay timeout 60

VoIP DHCP Scope

gregarican
  • 55
  • 7
  • 1
    Are you sure the ASA is forwarding DHCP requests? Check your logs. Is the ASA the default gateway for both VLANs? – Ron Trunk Jul 29 '19 at 19:37
  • The ASA's Port 0/1 is where VLAN 1 comes in from the switch. And the ASA's Port 0/3 is where VLAN 11 comes in from the switch. I'll paste the pertinent sections of the ASA config in a separate comment. I didn't verify the DHCP requests were being forwarded between interfaces, but I have a Wireless VLAN patched into Port 0/2 on the ASA and those DHCP requests are relayed over just fine. The DHCP Server at 10.0.4.5 has scopes setup for three networks and the VLAN 11 network is the only one that isn't leasing. – gregarican Jul 30 '19 at 12:47
  • Is the option configured for the vlan 1 scope or vlan 11 scope? – Ron Trunk Jul 30 '19 at 12:53
  • The option is configured for the VLAN 11 scope. I even tried hard-coding VLAN 11 into the Polycom VVX phones and they still wouldn't lease an IP. – gregarican Jul 30 '19 at 12:55
  • You need the option on vlan 1 scope. That's how the phone learns that it should use vlan 11. Otherwise, how does it know which vlan to use? – Ron Trunk Jul 30 '19 at 13:03
  • According to the documentation, the phones have DHCP discovery enabled, and are defined with Option 128. So they discover VLAN 11 that way. I have a makeshift test lab that I plan on getting setup this week. Perhaps I can go through the scenarios using that, since I don't want to hit production again until I have a clear-cut solution :) – gregarican Jul 30 '19 at 13:12
  • I think you misunderstand how the phone uses DHCP. The "discover" message simply says, "Are there any DHCP servers out there?" There is no mechanism in DHCP to say "what VLAN scopes do you have?" The phone boots up and generates a DHCP discovery message on the native VLAN (VLAN1) In the DHCP server response (offer), option 128 is configured to tell the phone that it should be using Vlan 11. The phone reboots and now generates a DHCP discover message on Vlan 11. the server responds with an address in the Vlan 11 scope. – Ron Trunk Jul 30 '19 at 13:31
  • Reading more online documentation, I see where this Option 128 does likely need to be added to the VLAN 1 scope. So that way the phones can 100% see this and be pointed over to VLAN 11. I will try that in my test lab as soon as I can get it setup. The Polycom documentation for configuring this didn't specify everything. Appreciate your help! – gregarican Jul 30 '19 at 13:32

1 Answers1

0

The phones look for a custom option (128) in the DHCP offer message to learn which VLAN they should use. This option must be configured on the DHCP scope for the native (untagged) VLAN.

The phone boot process is:

  1. Boot up and generate a DHCP discover message on the native VLAN (Vlan 1 in this case).
  2. The DHCP server responds with a DHCP offer message. This message includes the custom option 128. The option string includes which VLAN the phones should use. ("VLAN-A=11;").
  3. The phone reboots and generates a DHCP discover message on VLAN 11 (tagged with a VID=11).
  4. The DHCP server responds with an offer from the configued VLAN 11 scope.
  5. The phone uses the address on VLAN 11, and continues its boot process.
Ron Trunk
  • 2,159
  • 1
  • 11
  • 19