Following from yesterday's post,
correspondence with our Nortel expert has yielded a few interesting points,
but no complete solution:
If the phone were to accept packets addressed to its MAC address
regardless of the presence or absence of the 802.1Q tag, we could set the
edge switch to strip all tags on egress, and everything would work. Pity
the SOPHO Dterm doesn't do that....
More recent versions of the Passport 8600's firmware can untag frames
from the PVID and leave all other frames tagged. However, few of us are
directly connected to an 8600....
config ethernet <ports> untag-port-default-vlan enable
Anyway, we now understand the issue fairly thoroughly and can work
around it. The phones that we've deployed are working very well so far.
After a morning of fighting
experimenting with VLAN tagging, my desk had became ensnared in a
spider's web of network cable....
Nortel switches vs. 802.1Q vs. Philips phones: We're trying out
Philips' VOIP system, and we've chosen to put the phones and PBX IP
interfaces on one subnet on a dedicated VOIP VLAN. For our initial testing
phase in Struben, we'll need to use passthrough network access (we don't
have many free network ports in our offices) and our desktops will still need
to be on the usual data VLAN. Thus both VLANs must be carried from the edge
switch to the phone and at least the data VLAN must continue through the
phone's switch to the PC, and the link to the desktop must become an (at
least partially) tagged trunk.
We've deduced that the Philips SOPHO Dterm IP phones in question have
a dumb three-port switch built-in, and the main phone circuitry has an
Ethernet interface to one port of the switch. That interface can be
configured to send and receive tagged frames, which makes it simple to get
the voice traffic onto the voice VLAN.
However, all other traffic bound for the PC will pass through the dumb
switch unmodified. In the case of packets going upstream from the PC to the
edge switch, that's not too much of a problem: the PC will send untagged
frames, they'll pass through the phone, and the edge switch will apply the
port's PVID. In the downstream case, either:
- the PC must be able to understand tagged frames, or
- the switch must send frames from the data VLAN to the PC
untagged.
Option i is not always desirable, because Windows is not very good at
that. If you're using the Intel PROset drivers, it's easy; if you're using
a Realtek 8139 (as many PCs on campus do), you're stuck (Guy spent a good
part of the afternoon delving into NDIS to come to that conclusion). If
you're using FreeBSD, creating a vlan(4) interface makes it easy.
I'd hoped option ii would be easy. But, in the case of the Nortel
BayStack 450, 425 and Passport 8600, one can either configure a port as an
entirely tagged trunk, or an entirely untagged access port. It doesn't seem
possible to configure them such that frames from the voice VLAN should be
tagged, while frames from the data VLAN should be untagged. We tried with a
D-Link switch, and were able to do so, because it allows tagging to be
turned on/off on a per-VLAN-per-port basis. Apparently Cisco Catalysts can
achieve a similar effect. Later, we got our hands on a BayStack 460, which
allows you to choose between tagged trunk, access port, only PVID tagged,
only PVID untagged - the last option does what we want. Unfortunately,
there's only one 460 on campus, and there are heaps of 450s and 425s
deployed.
It took most of the day for us to conclude that if you need to use
passthrough and you're connected to a 450/425/8600, then
either your PC will have to handle detagging the packets, or
you'll have to run phone and PC on the same VLAN.
On the Philips side, we've sent a query to the U.S. developers of the
system via Holland to see if they have any advice; while on the Nortel side,
we've asked our supplier's local Nortel guru to see if he can find any way
to make the 450/425/8600s do what we want. We'll see if they come up with
any good ideas.
It's very seldom that Grahamstown is quite this misty at 8:25 when I go
to work....
