Wireshark-users: Re: [Wireshark-users] Huge VoIP Problem :(

From: Marc Luethi <netztier@xxxxxxxxxx>
Date: Fri, 19 Jun 2009 23:47:06 +0200
On Fri, 2009-06-19 at 09:40 -0400, Mark Jeffers wrote:
> The phones actually act as a level 2 switch themselves.   They tag
> their own packets for VLAN9 (the voice VLAN on my network) and tag the
> packets of the PC attached to them (if there is one) as VLAN1.

Do they actually _tag_ the PC's packets to VLAN 1? On 802.1q trunks,
VLAN 1 generally is the "native" VLAN and does not have the extra 4
bytes and therefore no tag. It is however possible to tag the native
VLAN as well - in general, this option must be activated, though.
 
> Attaching a phone and a pc to the same switch port has made me nervous
> from day one, but the vendor swore up and down it would work no
> problem. 

It definitely isn't. Provided you configure the switch port as 802.1q
link (being a cisco-i-fied persion, I use the term "802.1q trunk" often,
although other vendors use "trunk" to refer to multiple parallel
ethernet links)

In your case, the switch port for a Phone+PC should then be configured
to send packets for VLAN 9 with tags, and packets for VLAN 1 without (or
with, depending if the phone is configured to send VLAN 1 packets with
tags or without).

Make sure that no packets for/from other VLANs (than 1 and 9) go out of
the switch on those Phone+PC ports.

> Also, one thing that has me shaking my head in disbelief is that while
> Allworx built their phones with VLAN tagging abilities, their main
> phone server can't tag its own packets.

Perfectly allright. Just make sure that the server's switch port is
"VLAN 9 only" and sends untagged frames. (Cisco speak: "switchport
access vlan 9)

> But anyway, I was of course suspicious of the pc/phone combo, but some
> of my most problematic phones have no pc attached to them.  Plus, I
> figured building the VLANs would solve any problem related to that.
> Perhaps I was wrong?


Well, VLANing is a good way to separate traffic, but some consideration
is necessary to make it work.

Questions:

- are there any inter switch links between the voice server's switch
  port and the Phone+PC's switch ports? 
- if yes, is that/these interswitch link properly configured as 802.1q links 
  to carry the needed VLANs (and if possible, exclusively the needed ones)?
- actual voice traffic is between the phones directly, not between 
  the phone and the SIP server; phone-to-server is only used for call 
  setup and registration.
- are the firewall's switch ports configured properly as untagged for
  VLAN 1 and VLAN 9, respectively (assuming that the FW does not do
  tagging itself).
- since VLAN 1 and VLAN 9 are meant to be different broadcast domains,
  do they have different IP subnets?
- is there any other device (besides the firewall) that has each 
  a "leg" into VLAN 1 and VLAN 9? Make sure that it does not "bridge" 
  nor "route" between these VLANs.


regards

Marc