Cisco SWITCH Campus VoIP Refresh. Part 2 – Voice VLANs

Voice VLANs

Back in the day, folks used to configure trunks out all the access ports in the switch to provide the ability for the IP Phones to push their voice VLAN data up the link along with the downstream access VLAN data from the PC.

This is a bad thing. I won’t go into it here, but those days are gone. You now use Dual VLANs, Voice VLANs, however you want to describe two VLAN’s only being accepted on an access port.

The idea is that ‘default’ compute data traffic is just assigned to the access VLAN configured on that switch port, and all the voice traffic which is sourced from the phone is punched into the voice VLAN that’s been configured on that switch port thanks to some clever CDP/LLDP communication where amongst other things like power negotiation, the switch informs the phone what it needs to do in terms of 802.1q tagging.

Configuration is particularly simple.

Ensure your switchport is an access port and configure a data VLAN which I hope is not VLAN 1.

SW3(config-if)#switchport mode access
SW3(config-if)#switchport access vlan 22
SW3(config-if)#switchport voice vlan ?
  <1-4094>  Vlan for voice traffic
  dot1p     Priority tagged on PVID
  none      Don't tell telephone about voice vlan
  untagged  Untagged on PVID

To set the voice VLAN, specify a VLAN number, this is by FAR the most common configuration use, and it ends there.

Other options are :
The dot1p option tells the phone to set CoS bits in voice packets while using the data VLAN.
The untagged option tells the phone to use the data VLAN without setting any CoS values.
The none option does what it says on the tin.

There is one other voice VLAN command which is a little obscure but seems to be a protection mechanism

SW3(config-if)#switchport voice detect cisco-phone full-duplex

This command can be entered without the full-duplex keyword.
The best description I can find about this command is that it appears if a device wants to communicate on the voice VLAN is has to have drawn PoE from the switch, speak CDP and be full-duplex.
Without the full-duplex keyword, I think it simply must just have to communicate on the voice VLAN and have drawn PoE from the switch, half-duplex is acceptable.
If these criteria aren’t met, the switchport goes into err-disable.
I guess the summary of that command is that you can’t go plugging anything into the port other than a CDP speaking PoE phone on either half or full duplex.

*Update* I haven’t been able to recreate this using an 1130AG Access Point, an ESXi host and a Switch to Switch link as test devices plugged into access ports.
What does happen however is you get a log message

*Mar  1 00:03:59.066: %CPDE-6-DETECT: Cisco IP Phone 7940 detected on FastEthernet0/24 in full duplex mode

Perhaps this is all it is? You can then use this information to track device usage, deployment from your log aggregation systems. Still, not a feature I’m going to lose sleep over.



Cisco SWITCH Campus VoIP Refresh. Part 1 – POE

Support for IP Phones is provided by all modern Cisco Catalyst switches.

The normal functions required to support the phones are:


This review of PoE goes far beyond the knowledge required for SWITCH 642-813


IEEE 802.3af known as PoE and providing up to 15.4W per port.
IEEE known as PoE+ able to provide up to 30W per port.

PoE on Switches which carry this feature is usually on by default.
To review your switches interfaces status for power use commands :

SW3#show power inline 
Available:370.0(w) Used:0.0(w) Remaining:370.0(w)
Interface Admin Oper Power Device Class Max
--------- ------ ---------- ------- ------------------- ----- ----
Fa0/1 auto off 0.0 n/a n/a 15.4 
Fa0/2 auto off 0.0 n/a n/a 15.4 
Fa0/3 auto off 0.0 n/a n/a 15.4 
Fa0/4 auto off 0.0 n/a n/a 15.4 
Fa0/5 auto off 0.0 n/a n/a 15.4 
<truncated for brevity>

Also to view consumption configuration

SW3#show power inline consumption 
Interface Consumption Admin 
 Configured Consumption (Watts) 
---------- ----------- -------------------
Fa0/1 NO 0.0
Fa0/2 NO 0.0
Fa0/3 NO 0.0
Fa0/4 NO 0.0
Fa0/5 NO 0.0
<truncated for brevity>

You can remove PoE from an interface by using the interface command

SW3(config)#int fa 0/1
SW3(config-if)#power inline never
SW3(config-if)#do sh power inline
Available:370.0(w) Used:0.0(w) Remaining:370.0(w)
Interface Admin Oper Power Device Class Max
--------- ------ ---------- ------- ------------------- ----- ----
Fa0/1 off off 0.0 n/a n/a 15.4 
Fa0/2 auto off 0.0 n/a n/a 15.4 
<truncated for brevity>

You can now see that the Fa0/1 interface will never provide power.

When PoE is enabled, the switch senses the real-time power consumption
of the powered device. The switch monitors the real-time power consumption
of the connected powered device; this is called power monitoring or power sensing.
The switch also polices the power usage with the power policing feature.

One option is to limit the power sensing budget globally, or on a per port basis

By using the power inline consumption wattage configuration command,
you can override the default power requirement specified by the IEEE classification.
The difference between what is mandated by the IEEE classification and what is actually
needed by the device is reclaimed into the global power budget for use by additional devices.
You can then extend the switch power budget and use it more effectively.

For example, if the switch budgets 15,400 milliwatts on each PoE port as it does by default (3560/3750),
you can connect only 24 Class 0 powered devices. If your Class 0 device power
requirement is actually 5000 milliwatts, you can set the consumption wattage to
5000 milliwatts and connect up to 48 devices. The total PoE output power available
on a 24-port or 48-port 3560/3750 PoE switch is 370,000 milliwatts.


SW3(config)#power inline consumption default 5000
%CAUTION: Misconfiguring the 'power inline consumption/allocation'
 command may cause damage to the switch and void your warranty. Take
 precaution not to oversubscribe the power supply. Refer to documentation.

Strangely, there doesn’t seem to be a show command which you can see that this global command is in effect.
Neither these commands have a different output as a result of this command being configured.

SW3#show power inline 
SW3#show power inline consumption

Whereas, the per interface configuration below shows up in the command

SW3#show power inline consumption 
Interface Consumption Admin 
 Configured Consumption (Watts) 
---------- ----------- -------------------
Fa0/1 NO 0.0
Fa0/2 YES 5.0
Fa0/3 NO 0.0

Per Interface, you can configure your ports as such

SW3(config-if)#power inline consumption 5000 
%CAUTION: Interface Fa0/2: Misconfiguring the 'power inline
 consumption/allocation' command may cause damage to the switch and void
 your warranty. Take precaution not to oversubscribe the power supply.
 It is recommended to enable power policing if the switch supports it.
 Refer to documentation.

As noted in the warning from the above budget modifications, you should enable power policing to prevent drawing so much power that you cause your switch to fail.

You can do this only on a per interface basis, so I’d recommend an interface range command on all your access ports

SW3(config)#interface range fastethernet 0/1 - 48
SW3(config-if-range)#power inline auto max 5000

Cisco Switch Supervisor Redundancy

Non-Stop Forwarding with Stateful Switch Over

Layers 2–4 (MAC addresses, IP Routes and TCP/UDP Sessions) convergence time is enhanced in Cisco 4500 and 6500 series switches by purchasing redundant route processors (RP) and holding them both in the same 4500/6500 chassis using NSF with SSO.

When using SSO with NSF, only one RP is active. The standby RP synchronizes its configuration and dynamic state information (such as CEF, MAC, and FIB tables) with the active RP. When the active RP fails, SSO enables the standby RP to take over immediately. NSF keeps the switch forwarding traffic during the switchover, using the existing route and CEF tables.

The goal of NSF with SSO is to prevent routing adjacencies from resetting, which prevents a routing flap. The switchover to the new RP must be completed before routing timers expire, or the router’s neighbors will tear down their adjacency and routing will be disrupted.
When the new RP is up, the old routes are marked as stale, and the RP asks its routing peers to refresh them. When
routing is converged, it updates the routing and CEF tables on the switch and the linecards.
NSF is supported with EIGRP, OSPF, ISIS, and BGP. An NSF-capable router supports NSF; an NSF-aware router does
not support NSF but understands it and continues forwarding traffic during SSO.

Use NSF with SSO in locations where you do not have a duplicate switch for failover, such as at the user access or Enterprise network edge. Otherwise it can actually cause longer convergence. Routing protocols timers can be tuned very short to provide fast convergence. With SSO, the switchover to the standby RP might not occur before the tuned routing Dead timer expires, and the adjacency would be reset.

Cisco Logging and Syslog

This short guide can help you plan for your device’s logging parameters from point of installation.

So, you probably want to keep more than what’s in the buffer.
Or, if you don’t, you probably want to make the buffer larger so when you do need it, there’s a chance of some context to the fault that drove you there in the first place.

Interacting with the device

First thing.

Stop the logging messages from interrupting your command statements.

line con 0
logging synchronous
line vty 0 4 
logging synchronous

Now you can read the messages without having your commands wrapping in and around them, what level of messages do you want?

If you’re on the console/ssh session of the device, it’s likely you’re there, and you want to see what’s going on.
The default on these two connection types is (7) debugging and you can leave it there.
If you do choose to change them, the commands are simply

logging console <level> 
logging monitor <level>

Now, choose to keep your logs local or on a central syslog server. It’s not hard to understand why as soon as you’ve more than one or two devices, syslog servers are your friend.
So, for those of you who keep it small and only want the device dealing with the logs, here are your choices.

Setting the level of messages that are kept in the buffer, and the size of the buffer which by default it 4096 bytes (4Kb).

logging buffered <level>
logging buffered <4096-2147483647>

For when you’re keeping log messages centrally in a syslog server, here’s your commands.

logging host 
logging on

To verify your configuration use

show logging

You are now setup for a situation where you can enjoy being on the console without the logging messages interfering with your commands and you’ve planned how and where you want your log messages kept.

Cisco SNMP Monitoring

Cases for use

To store metrics about how your Cisco routers and swtiches are performing, you’ll probably find yourself needing to
enable SNMP. This protocol enables the gathering of statistics through MIBs (Management Information Bases) over the SNMP protocol.
You can then track bandwith utilisation to help plan upgrades, de-commissions, and the like.


v1 is all but completely unused.
v2c is the most common implementation. We’ll discuss that here and I’ll add a further section regarding v3 and it’s authentication options.


When retrieving statistics from the device, you don’t want interfaces re-numbering and changing otherwise your hard work
will be for nothing when you’re polling interfaces and they change on you after a reload or installation of a network module.

snmp-server ifindex persist

If you’re working in a large enough organisation to be able to personalise the systems so that you have areas of responsibility you can add
basic contact details for the devices.

snmp-server contact ITDept
snmp-server location TheLondonDungeon

Because you likely don’t want any system to be able to contact the device using SNMP, you can determine which systems should be able to poll the SNMP Server by creating an ACL.
Perhaps you have one server that you want to access SNMP on the device and an entire Management subnet.

ip access-list standard 10
 permit host

Consider the read-only community string you will use for your devices and configure this, along with the access-list and assign it a read-only permission.

snmp-server community <string> ro 10

You can now configure your monitoring device to poll all the routers and swtiches in your network to store statistics.

Configuring Cisco IP SLA and Object Tracking

Cases for use

1. You would like to modify your network routing in response to a change of conditions either in your network or outside your network.
2. You have an interest in determining performance characteristics for latency/bandwidth across your network to provide metrics over time.
3. A combination of both of the above.


Using 3750 Switches as an example, if you’re running IPBase, you’ll only be able to configure IP SLA Responders. Full IP SLA features are available in advanced IOS images.
Check your platform and feature set of IOS for your ability to run IP SLA features.

Use Case 1

You have two egress routes from different ISP’s available from a single Layer 3 Device. you wish to modify the default route from your Layer 3 device depending on
upstream connectivity to an address you define on each link.


12.2(55) IPServices images on 3750 MLS Platforms are being used.

Two IP Next hops for routing your data plane traffic are :

Link 1 =
Link 2 =

The device on the primary ISP’s network you’re tracking to determine routing preference is :


Create a simple icmp-echo SLA instance number 10 to check availability on your preferred upstream link.

ip sla 10
 timeout 500
 frequency 3
ip sla schedule 1 life forever start-time now

Create a tracked object number 99 checking your SLA probe 10 for reachability.

track 99 ip sla 10 reachability

Configure a default route to the preferred provider with a tracking object associated with it.

ip route track 99

Add a new default route with a higher metric than your existing default route (3). This will only be installed into the routing table if the tracked route is removed due to the primary link’s own tracked object being down.

ip route 3

So the result is the static configuration is the secondary route which could be described as a catch all after the dynamics of the primary route fail.
Again to summarise, the primary route and, the SLA probe and tracking is where all the logic and dynamics are configured.


Use Case 2

You’re using a First Hop Redundancy Protocol, in this case, HSRP, configured between three Layer 3 devices.
You wish to modify which of the HSRP Devices is forwarding traffic depending on the status of an object you define on each Layer 3 Device.


12.2(55) IPServices images on 3750 MLS Platforms are being used.

HSRP Router 1 = VLAN10
HSRP Router 2 = VLAN10
HSRP Router 3 = VLAN10

HSRP Virtual IP =

The object’s you’re tracking

HSRP Router 1 – Upstream Device =
HSRP Router 2 – Upstream Interface = GigabitEthernet 0/1
HSRP Router 3 – Nothing


Create IP SLA and Tracked Objects

Router 1

ip sla 10
 timeout 500
 frequency 3
ip sla schedule 1 life forever start-time now
track 99 ip sla 10 reachability

Configure HSRP

Router 1

interface vlan 10
standby 10 ip
standby 10 preempt
standby 10 priority 110
standby 10 track 99 30

Router 2

interface vlan 10
standby 10 ip
standby 10 preempt
standby 10 track GigabitEthernet 0/1 20

Router 3

interface vlan 10
standby 10 ip
standby 10 priority 90

This configuration shows that Router 1 is the preferred HSRP gateway with Priority 110, then Router 2, then Router 3 with Priority 90. Default HSRP Priority is 100 (Router 2).

Notice you don’t have to create a tracked object for Router 2 as the HSRP track command can monitor interfaces local to the device as part of the HSRP configuration. 

You also don’t need pre-emption on Router 3 because It’ll never find itself with a higher priority than the other two routers unless they have failed and decremented their priority because of a failure in the objects that they are tracking. 

Fractured 5th Metatarsal experience

Greetings all,

Over Christmas I managed to snap my 5th Metatarsal in a Snowboarding accident. The accident happened just before NYE in Chamonix and resulted in this pretty mess
It matters not how I did it which was far more rubbish than you might imagine, but more to the point how long it’s taken me to recover and I wish to offer up my advice to anyone as unfortunate as myself to experience such a rubbish and debilitating break in their foot.

To give you some perspective about my physical state, I’m a keen gym go-er and keen cyclist. I was training for the Caledonia eTape until the injury and was in Base 2 of my training working up to 12 hours or more on the bike at that point. Being very active and training around 2 hours a day, 6 days a week meant that this injury presented me with some pretty big challenges physically and mentally.

6 days after the fracture I had the foot operated on by Eoin Baldwin who did a fantastic job in re-attaching the splintered bones with two fixing screws. That was the complicated bit out of the way, the rest was down to me and my body’s healing process.

In Jan ’12 it was pretty cold in the UK, no more than normal, but still, cold. After getting up in the morning I had real trouble keeping my foot warm in the bootie cast that I had on. It was far from painful and I stopped taking the codeine based painkillers 1 day after the Op. It simply wasn’t hurting enough for me to want to take them.

Sadly, 2 days after the Op, I came down with the Flu which was kindly given to me by one of my holiday buddies. That was horrid, being club footed and Flu’d up all at the same time was one of the most rotten feelings ever. 4 days later I was starting to feel human (albeit club footed) again.

No-mans land ensued. I was signed off from work but still completely mentally able. 12 days after the Op, I returned to work – a couple of days earlier than recommended, but I was going nuts and had a lot of work on. I struggled after the journey to work to keep the foot warm still. After a 07:30 get up, by 10am my foot would be uncomfortably cold and I’d try my best but would fail in trying to warm the thing up until I got home and had a bath with one foot hanging out the side.

As soon as I was back to work, I was back at the gym too. I’ve read elsewhere that other people have completely avoided all exercise to ‘let the body do the healing process’. I honestly disagree with that. This implies that they think their body can only do one thing at once, or it takes power away from the healing process by your body doing anything else. For example your body has 100% of ‘healing power’ and by doing Strength Training on your remaining functional parts of your body, you are detracting from that 100% ‘healing power’ by diverting some of that healing toward the applied stresses of Strength Training.
Assuming you are eating ‘well’ taking into account you are what you eat and you’re eating ‘enough’ which I think would be easy if you’re doing Strength Training with limitations i.e. your lower body is out of action thanks to an injury like this then for me there is no reason to lay back and sit still for months waiting for a bone to fuse.

I’ve ranted briefly on this as I had ALOT of arguments with people telling me I shouldn’t be going to the gym whilst I had the injury. Notably, none of these people were people who, without being harsh, were people that ate ‘well’ or had a good physique or good relationship with food or exercise so their advice fell on ears which were not tuned in to their concern.

I will stress though that you should not attempt any lower leg exercises. I did.
Leg Extensions using the Leg Extension machine were the only exercise I felt comfortable using both my legs so as not to train only one leg and cause imbalance.
I suggest you avoid these too as although there’s no direct stress on the foot in any shape or form, after my news which I’ll talk about in a moment, I suggest disengaging your temptation to use your lower body at all for the time being.

Some 20+ days after the Op, I visited the Hospital for a follow up x-ray only to have the Surgeon stand in front of the light box and utter ‘Oh’. That short noise was the last thing in the world I wanted to hear.




That ‘Oh’ was the realisation that somehow I’d managed to pull the repair apart so the two fixating screws were although aligned but holding the bone with quite a degree of separation again.

It was one of the worst things I’ve ever heard and was very very upset and depressed for a couple of days.
Because the up down and side to side alignment was actually okay meaning the functional operation of the foot was looking okay, the decision was to leave it be for a while and see how it was looking in another 2 weeks. Now, just to mention here, there was expected to be some fusing already, which there wasn’t either because I’d split it or simply it hadn’t started.
The problem with the 5th metatarsal is it’s a small bone, it’s also about as far away from your heart as you can get in your body, and is on the outside of your foot with a relatively small amount of blood flow.
These are all facts that worked against me.

This leads to my first piece of advice.
KEEP YOUR FOOT VERY WARM! Never let the foot go cold.
Cold = No blood flow. No blood flow = No healing.
Do whatever you have to do to keep your foot warm at all times. This includes your Thigh and Lower Leg as they’ll be supplying the blood to your foot. Long Johns, super big socks and over sized slippers are all good things. In emergency perhaps some chemically activated hand warmers stuffed into your foot may help. Make this your personal priority.

My second piece of advice
Do nothing that puts your foot under any pressure until your surgeon advises you otherwise
I cannot state how important this is.
Getting up out of bed puts pressure on your trailing foot, be careful! Getting up from being one legged in front of the fridge and unknowingly the supporting (broken) foot that’s out behind you is put under top side pressure to help with the one legged get up.
Falling over, which I did too many times and hated every one.
Not using any lower leg gym equipment, no matter what muscles you think you are aren’t working. It simply isn’t worth the risk or a re-op or a situation like mine with a mis-aligned bone.
I cannot state how difficult it is to exist with only one foot on the ground for months at a time.
I cannot explicitly state which moment cause my repair to separate. There were plenty (too many) moments including the falls which put far too much pressure on my foot and it could have been any of them.

Lastly, Do Exercise!
Do Upper Body strength training. Unless you have one of those upper body cycling things you’re not going to be able to do any cardio, so simply engaging your upper body will stop you going nuts and keep some resemblance of your physique.

After three months I’m out of casts and actively load bearing without crutches now, but I’m awaiting my next x-ray to see the state of the repair and will update this post when I have that aswell as thoughts on muscle loss and diet during that recovery period.
In the meantime. Good luck if you’re going through this too!

Ciao! x