r1-1(e0/0)-----(f0/1)sw(f0/2)---------r1-2(f0/0)
|
(f0/3)----------r1-3(e0)

cat3550 f0/2 configured with one access 20 and
one voice vlan 50
f0/1 access vlan 50
f0/3 access vlan 20

r1-2 configured with a native vlan 20 and a dot1q
trunk vlan 50 (simulating phone)

And ping r1-1 and r1-3 works from r1-2!

This means that cat3550 treats the voice vlan in a
very special way!

If you configure the voice vlan port as a dot1q trunk
port, you may need
to block all vlans other than the native vlan and
voice vlan. Otherwise
all other vlan packets will be sent to the ip phone...

===================================
cat3550 configuration:

interface FastEthernet0/1
switchport access vlan 50

bitsCN全力打造网管学习平台

　　 no ip address

　　!

　　interface FastEthernet0/2

　　 switchport access vlan 20

　　 switchport voice vlan 50

　　 no ip address

　　 duplex full

　　 speed 100

　　 spanning-tree portfast

　　!

　　interface FastEthernet0/3

　　 switchport access vlan 20

　　 no ip address

　　!

　　=============

　　

　　r1-1:

　　interface Ethernet0/0

　　 ip address 50.1.1.10 255.255.255.0

　　

　　r1-2:

　　

　　interface FastEthernet0/0

　　 no ip address

　　 speed 100

　　 full-duplex

　　!

　　interface FastEthernet0/0.20

　　 encapsulation dot1Q 20 native

　　 ip address 20.1.1.1 255.255.255.0

　　!

　　interface FastEthernet0/0.50

　　 encapsulation dot1Q 50

　　 ip address 50.1.1.1 255.255.255.0

　　!

　　

　　

　　r1-3:

　　interface Ethernet0

　　 ip address 20.1.1.3 255.255.255.0

　　 no ip directed-broadcast

　　!

　　

　　r1-2#p 20.1.1.3

　　

　　Type escape sequence to abort.

bitsCN.com中国网管联盟

　　Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is

　　2 seconds:

　　!!!!!

　　Success rate is 100 percent (5/5), round-trip

　　min/avg/max = 1/2/4 ms

　　

　　r1-2#p 50.1.1.10

　　

　　Type escape sequence to abort.

　　Sending 5, 100-byte ICMP Echos to 50.1.1.10, timeout

　　is 2 seconds:

　　!!!!!

　　Success rate is 100 percent (5/5), round-trip

　　min/avg/max = 1/2/4 ms

　　

　　cat3550-11#sh int f0/2 swi

　　Name: Fa0/2

　　Switchport: Enabled

　　Administrative Mode: dynamic desirable

　　Operational Mode: static access

　　Administrative Trunking Encapsulation: negotiate

　　Operational Trunking Encapsulation: native

　　Negotiation of Trunking: On

　　Access Mode VLAN: 20 (VLAN0020)

　　Trunking Native Mode VLAN: 1 (default)

　　Administrative private-vlan host-association: none

　　Administrative private-vlan mapping: none

　　Operational private-vlan: none

　　Trunking VLANs Enabled: ALL

　　Pruning VLANs Enabled: 2-1001

　　

　　Protected: false

　　Unknown unicast blocked: disabled

　　Unknown multicast blocked: disabled

　　

　　

　　Voice VLAN: 50 (VLAN0050) <--- wow, voice vlan now is

　　active!!!

CCIE Security 2009 IOS防火墙合集