GS1900-48HP Voice VLAN stopped working after firmware upgrade. . .

TiggerLAS

Zyxel GS1900-48HP Rev A1

Moving from firmware 2.60(AAH0.1)CO
to firmware 2.60(AAH0.2)CO caused issues
with a previously working OUI / Voice VLAN.

Specifically -

With firmware 2.60(AAH0.1)CO, we had
the following VLAN details in place on several ports -

VLAN1   Untagged   (Default)
VLAN2   Excluded   (Voice)
VLAN3   Tagged
VLAN4   Tagged

Voice VLAN was set, and a custom OUI
for our phone system was in place -
MITEL IP PHONE  08:00:0F

With this configuration, our phones would start up,
would move to VLAN2, and would get DHCP from our router.

After upgrading to 2.60(AAH0.2)CO
the phones would not appear on VLAN2,
and of course would not get DHCP, etc.

Curiously, downgrading to 2.60(AAH0.1)CO
did not fix the problem.

I was finally able to resolve the problem
by changing VLAN2 on the affected ports
to "Tagged" instead of "Excluded".

This was puzzling, since it had been previously
working perfectly with ports set to "Excluded"

Any ideas as to why that would have changed?

Zyxel_Jonas

Hi @TimThom,

Sorry for your confusion.

Basically, "VLAN2   Excluded   (Voice)" is a wrong setting and should not work.
It works before as we had an issue in the early firmware v2.50, which not following VLAN settings and will tagged out all VLAN for Voice.

We'd already fixed this issue on firmware v2.60 patch0, this link is the release note for reference.
As you've mentioned changing the VLAN2 to Tagged resolved the problem, because this actually is  the normal and correct settings.

Jonas, 

TiggerLAS

Gotcha.

Our Cisco switches required "Excluded" when using Auto-voice VLAN,

so I had set up the Zyxel switch the same when we first got it quite some time ago.

I guess the earlier firmware glitch that you mentioned just happened to be

"good timing" on my part.   ;-)

Thanks again for the follow-up.

YiHsien

Hi,

I have similar issues.  We have a Zyxel GS1900-48HP Rev B1 and NEC IP Phones. 
And our firmware is V2.60(ABTQ.3) | 01/05/2021.
We followed instructions on this website:  https://firstcoastit.net/zyxel-gs1900-creating-a-voice-vlan/?unapproved=157&moderation-hash=97997d32f59981564d5543f215e1c5d7#comment-157

We have also set the OUI for NEC IP phones.

However, our voice VLAN didn't work no matter we set the port with IP phone 'excluded,' 'untagged,' or 'tagged.'
All ports are still in VLAN1.  Could you advise?  

Thank you.

TiggerLAS

Here's exactly how I have our switch set up -

Our router handles both of our VLANS -

Let's say VLAN1 is  192.168.1.1/24  for computers.

And         VLAN2 is  192.168.2.1/24  for phones.

We have TWO DCHP servers set up on the router,

one for the         192.168.1.x subnet

the other for the 192.168.2.x subnet

We have our LAN port on the router set up as

VLAN1, PVID1, Untagged

VLAN2, Tagged

--------------------------------------------------------------------------

Now, on the GS1900 switch, we have ONE port

that connects to our router.

It is also set as

VLAN1, PVID1, Untagged.

VLAN2, Tagged

That is all we needed to link it to the router.

--------------------------------------------------------------------------

To start out with, all of the ports on the GS1900 were

already set as VLAN1, PVID1, Untagged.

That meant that any computer we plugged into the

rest of the ports on the GS1900 would get handed a

192.168.1.x IP address, since PVID1 causes most

(VLAN-Unaware) network devices to default to VLAN1.

Now, to get the phones up and running, here's what we did -

(Our phones needed Class of Service 6;

your phones may need something different,

so you can adjust to suit. . .)

--------------------------------------------------------------------------

Above, we set up a custom OUI, based on the first 6 digits of our phone's MAC address.

--------------------------------------------------------------------------

Then, below, we enabled the OUI functionality,

but ONLY the ports that we needed it on.

(Ignore Port 1 in my examples, as we don't

use Port 1 for phones in our office right now.)

Note:   You only enable it on the ports that you are planning on plugging phones into.

            You do NOT enable it on the port that connects to your router.

--------------------------------------------------------------------------

As you can see below, we have VLAN1 set as PVID1,

and VLAN Trunk is disabled on all of our ports,

since we don't need VLAN trunking for this.

--------------------------------------------------------------------------

Now, let's adjust the VLAN tagging for the VOICE VLAN.

Select VLAN2 from the drop-down.

Older versions of the Zyxel firmware let you set

these ports to Excluded, and it worked great.

(This is the way that Cisco currently does it.)

However, with the last release, you are required

to manually set them all to "Tagged", as you can see below.

--------------------------------------------------------------------------

Further down in the main menu, under the LLDP section,

we had to add some DSCP and PRI settings for our phones.

You may or may not need to do this for your phones;

please refer to your documentation.

--------------------------------------------------------------------------

Lastly, we applied the basic policies to the phone ports.

--------------------------------------------------------------------------

Don't forget - when everything is working, that you have to

visit the maintenance section and save/commit these settings,

otherwise they'll be wiped out on the next reboot/power cycle.

--------------------------------------------------------------------------

With these settings. . .  if you plug an IP phone into any

of the ports that you just set up. . .   the switch should recognize

your IP phone, based on the OUI information that you put in,

and the phone should wind up being dumped directly onto VLAN2.

Your phone should send out a DHCP request,

and your router should hand it an IP address from VLAN2.

--------------------------------------------------------------------------

If for some reason your phone does NOT get moved to VLAN2,

and/or does not get an IP address,

you'll have to do some troubleshooting.

Here is one possible starting point -

Let's see if we can PING your VLAN2 IP address on the router.

For these examples, I'm using the same IP addresses

I did at the start.   VLAN1 is 192.168.1.x

                    and   VLAN2 is 192.168.2.x

(Adjust them accordingly to whatever your address ranges are.)

Go back into your GS1900.

Pick an available port on the switch for testing.

Reverse the VLAN settings on the port.

Make it VLAN2 Untagged, VLAN1 Tagged.

Apply your settings, and plug a laptop into this port.

Assuming that your router (and the ports that

are connecting it to your switch) are set correctly,

it SHOULD end up on VLAN2, and should be given

a 192.168.2.x IP address from your router.

If that doesn't work. . .  then go into your network settings

on your laptop, and manually assign it an IP address

in your VLAN2 address range.

Let's say your router's VLAN2 settings

have it at an IP address of 192.168.2.1

Set your laptop's IP address manually to something like

Addr:  192.168.2.100

Mask:  255.255.255.0

Gateway:  192.168.2.1

DNS:         192.168.2.1

. . .and hit apply. . .

Once the network connection is back up,

drop to a DOS prompt, and try PINGing

the router at 192.168.2.1

If you don't get a reply, then something

most likely isn't set correctly on the router,

or on the port linking the switch to the router.

That should be enough to go on for now.

Let me know how it turns out, and if it still

isn't working, we can try other things. . .

Tim

YiHsien

Hi Tim,

Thanks for your instructions.  It is very clear but I still have some questions.
1.Can we put IP phones in the same subnet with our computers?  (We have PC connected behind the IP phones, like the topology showed at the end of this post.  I am wondering if PC and IP phones can be in different subnet in the case.)
2.Our GS1900 is connected to our router/firewall via Port 1.  What state (forbidden, excluded, or..) should it be?
3.I noticed that you have a policy called 'voice signaling.'  Is it necessary?

Regards,
Yi-Hsien

TiggerLAS

Let's see. . .

3.)   Voice signalling policy - This was needed for Mitel IP phones.

        I don't know if your IP phones need that functionality or not.

        In layman's terms, Mitel uses DSCP 46 / PRI 6 to prioritize

        voice data across the network, and uses DSCP 26 / PRI 3

        for lower-priority traffic across the network, such as chatter

        between the phone and the phone controller.

        Since I don't know what phone system you're using,

        I can't really say if it needs that policy or not.

        Search your documentation, and see if your phones

        utilize "DSCP" at all, or if you can find anything that

        mentions different priorities or class-of-services.

2.)   If Port 1 of your GS1900. . . .

       In a basic network setup, ALL ports should be set to:

       VLAN1, PVID1, Untagged

       (Including the port that connects to your router.)

        This will allow computers, printers, etc,

        to communicate with each other, and to the internet.

        Port 1, since it connects to your router, and

        ostensibly provides VLAN2 with DHCP, etc.,

        should also be set to VLAN2 Tagged.

        Then, any port that a phone is connected to

        should also be set to VLAN2 - Tagged.

        In theory, you could set ALL of your ports

        to VLAN2 Tagged. . .  then it wouldn't matter

        which port you plugged a phone into.

        However, it's usually best practice to just enable

        VLANS on the ports that you're using them on.

       The port on your Router should be set the same way.

        VLAN1, PVID1, Untagged

        VLAN2, Tagged

       (I have been assuming that your router supports VLANs,

        and that you have it already set up with firewall rules,

        and have created a separate DHCP service on it for VLAN2.

        Please let me know if this is not the case.)

And, finally -

1.)    There's no reason you couldn't have the phones

         and your PC's on VLAN1.  

         I think most folks use a 2nd VLAN

         for easier traffic shaping and troubleshooting.

         When you have a phone that has a PC Pass-thru

         port on the back. . .it's kind of like having a 3-port,

         VLAN-aware switch built into your phone.

         Your network comes in on external Port 1,

         your PC connects on external Port 2,

         and your phone connects to internal Port 3.

         Since your PC most likely isn't VLAN-aware,

         it's going to end up on VLAN1 by default.

         So, even if the VLAN setup for your phones

         isn't working right now, your PC (in the your diagram above)

         should be able to power up, and reach the internet

         without any trouble.

-------------------------------------------------------------------------

Let's say that you haven't done anything to set up VLAN2

at this point. . .  what would (should) happen, is that

your phone should start up. . .   and send out a DHCP

request. . .  since you haven't set up VLANS, it will make

that request on VLAN1. . . and your VLAN1 DHCP server

will give it an IP address. . .   then the phone will try to

reach out (Via VLAN1) to whatever phone system

you have in place.    If your phone system isn't on

the same subnet as your PC's and stuff. . .then it will

never connect to it, to finish starting up.

Once the Telephony OUI is set up correctly,

and you have Voice/VLAN enabled, etc.,

then when your phones start up, the GS1900

will see that it's MAC address is part of your Telephony OUI,

and it will dump your phones (and only your phones)

onto VLAN2 right away.  At that point, data to/from

your phone (and only your phone) will be tagged for VLAN2.

So, as it continues to start up, and it makes its initial DHCP request,

it will be expecting a response from the DHCP server that

you created for VLAN2.   If it finds your VLAN2 DHCP server,

then it will end up with an IP address on your VLAN2 subnet.

(The PC connected to the back of that phone

will be completely oblivious to all of this, as it

is happily communicating as Untagged traffic

on VLAN1. . .)

Now, it is important to remember -

IP Phones will need to know how to reach your phone system.

They typically get this information via the DHCP server

on your Voice subnet.

For Mitel phones, we create DHCP option 43, and give it

a string of data to pass to the phones, which tell it

the address of the phone system.

So, when the phone gets its IP address, it will also receive

the string of data from Option 43, and from there, it will then

reach out to your phone system for further startup instructions.

YiHsien

Hi Tim,

Thanks. We have done all the settings except subnet.
We have NEC IP phones and our firewall/router is Fortigate. At this moment we manual set their IP addresses (in the same 192.168.0.x subnet with our PC, printers, and servers.).  According to your advises that's the root cause why our Voice VLAN isn't up and running.

So the next step is to use DHCP option 43?   
And my problem would be how to setup a second DHCP server in the same FortiGate firewall and assigns IP only to the IP phone.  We also don' have much knowledge on this part

Thank you~

Regards,
Yi-Hsien

YiHsien

Hi one more question:. 

In your example, how does GS1900 know that 192.168.2.x is with VLAN2？

YiHsien

Hi Tim,

One more thing:  
You mentioned 'They typically get this information via the DHCP server.  
However, it is recommended in our NEC SL2100 manual that static IP is preferred.  Is it possible that we use static IP (in the same or different subnet)?

TiggerLAS

Alrighty. . .   let's see. . .

If you only have a handful of IP Phones, then perhaps

the static IP method that you mentioned might be easier

than trying to mess with DHCP options, etc.

Let's assume that you're NOT going to use DHCP;

that you're going to keep your static IP settings

on your NEC phones for the moment.

We haven't really talked about your physical

NEC Phone System / Controller yet.

I'm assuming it is set to a static IP address.

It will need to be able to communicate with VLAN2.

This can be accomplished 1 of 2 ways.

1.)   Routing via your FortiGate (less desireable)

2.)   Placing it onto VLAN2 directly.  (preferred)

Let's assume it will be placed directly onto VLAN2.

For purposes of this discussion, I'll assume that it

is manually set with the following IP information -

IP address:  192.168.2.254

Mask:           255.255.255.0

Gateway:     192.168.2.1   <<< More on this later.

Now, let's go back into your GS1900,

and modify TWO network ports, as follows -

VLAN2, PVID2, Untagged

VLAN1 Forbidden

(This will cause whatever is plugged into these ports

to communicate, by default, on your VLAN2 subnet.)

One of these ports will be the permanent home

of your NEC phone system controller.

The other port, we'll use for diagnostic purposes.

More on that later.

Now, let's jump over to your FortiGate -

I don't know the model of your Fortigate,

so I can't tell you the exact process.

Here's a link I found for a VM64 -

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

Here, you'd set your VLAN ID, and the port number

that it is associated with.

Select type "VLAN" as shown above.

Then select whichever port is connected to your GS1900.

Then Select VLAN2 for your phones.

Keep the role as LAN.

No need to mess with the "Add Tag Category".

Keep the addressing mode at "Manual".

Under IP/Network Mask, enter -

192.168.2.1      /      255.255.255.0

Under "Administrative Access",

check-mark HTTPS and PING.

More on that later as well.

What that will do is create a virtual IP address

on your Fortigate of 192.168.2.1

This is what will actually define your VLAN2

subnet for the rest of your network.

Your devices on VLAN2 will use the 192.168.2.1

address as their gateway.

So, you'd go into one of your phones, and set it's

IP address to an arbitrary IP address, such as 192.168.2.50

with a subnet mask of 255.255.255.0,

and a gateway IP address of 192.168.2.1

Now, any traffic from that phone will use

the virtual IP address of 192.168.2.1 as its gateway.

Any other IP settings in there (along with the IP settings

on the NECphone system itself) would need to be adjusted for

the 192.168.2.x subnet. . .  and the 192.168.2.1 gateway.

-------------------------------------------------------------------------------

How does the GS1900 know that 192.168.2.x is associated

with VLAN2?  Well, it doesn't really, at least not in any sense

that you need to be concerned about.

At a very basic level, the switch is only looking for VLAN tags.

Your Fortigate, which is operating as your router/gateway device

is what defines the 192.168.2.x address range as being associated

with VLAN2.   The GS1900 is just looking at the VLAN2 tags,

and moving the traffic to the appropriate ports on the switch.

-------------------------------------------------------------------------------

I'm going to continue to use the following assumptions,

with regards to your Subnet, VLAN, and phone setup.

Adjust these values accordingly, to meet your needs.

192.168.1.x       VLAN1       Your computers, printers, etc.

192.168.2.x       VLAN2       Your IP phones.

192.168.1.1       The (VLAN1) IP address of your FortiGate.

                           This is currently the "Gateway" address that

                           your computers receive via DHCP.

192.168.2.1        The (VLAN2) IP address of your FortiGate.

                           This is the "virtual" IP address that we created earlier.

192.168.2.254     The IP address of your actual NEC phone system/controller.

192.168.2.50      A random IP phone on your network.

-------------------------------------------------------------------------------

Assuming that you've set up your GS1900

as previously discussed, then here is what will transpire -

You plug your IP phone into the network, and it powers up.

The GS1900 will see the MAC address of the phone

show up on the network.

Since the phone has a MAC address that matches the one

set up in your Telephony (Voice-VLAN) OUI settings, it will start

tagging the traffic (from JUST the phone) with VLAN2.

So now, the phone with 192.168.2.50 is on VLAN2,

and will be using its manually-set gateway of 192.168.2.1

The phone will attempt to reach the phone system,

via the FortiGate 192.168.2.1 gateway that we set up.

Assuming that the phone system has been set correctly.

the two devices will start communicating with each other.

-------------------------------------------------------------------------------

So, here is how I would proceed, initially.

1.)   Set up the two ports mentioned earlier on the GS1900

       1 permanent port for the phone system

       1 temporary port for diagnostics

       VLAN2, PVID2, Untagged

       VLAN1, Forbidden

       (Don't move your phone system to this port just yet.)

2.)   Log into your FortiGate, and create VLAN2

       as discussed earlier.

3.)   For testing, grab a laptop or PC, and manually set

       its IP address to an arbitrary IP address, such as

       192.168.2.200 / 255.255.255.0 / 192.168.2.1

       (Under DNS servers, use 192.168.2.1 as well.)

       Then, plug it into the temporary diagnostic port.

       If setup of the FortiGate and the GS1900 is correct,

       you should be able to PING 192.168.2.1

       and get a response back from the FortiGate.

       (You shouldn't be able to get to the internet at this point,

         but you SHOULD be able to acccess the FortiGate via

         https://192.168.2.1, since we enabled HTTP access earlier.)

4.)   Don't proceed any further unless the testing is successful.

5.)    Log into your phone system, controller,

        and set its IP address to:

        192.168.2.254   /   255.255.255.0   /   192.168.2.1

        You can use whatever address you prefer;

         I tend to place network gear at the top end

         of the address range, others prefer the low end.

6.)     Once set, plug your phone system controller

          into the permanent port that we created earlier.

7.)      You should now be able to PING your phone controller

           at its new address.

8.)      Don't proceed any further if you can't ping the phone controller.

9.)      Plug one of your IP phones into one of the ports that we

          set up with the Telephony/Voice-VLAN settings

          from our previous conversations.

10.)    Go into the menu settings of the phone, and set it to

          an arbitrary IP address, such as

          192.168.2.50 / 255.255.255.0 / 192.168.2.1

          You'll have to tell the phone the new address of the

          NEC Phone controller as well.

          I don't know if there is a manual VLAN setting

          inside the NEC phones or not.

          If there is, let's just leave it alone for now, and see what happens.

          The phone may try to discover the correct VLAN, in which case

          the GS1900 switch should assign it automatically.

11.)    Let's see if the phone starts up, and can reach the phone system.

          If not, go back into the phone settings, and manually update

          the VLAN to VLAN2, and try again.

If everything works up to this point, then well done.

The next step is to allow DNS / Internet connectivity

to your phones and phone system, which is often needed

for firmware updates, access to NTP time servers, etc.

That will be a separate discussion though,

as I'm getting a little punchy, and need some sleep.   ;-)

For ease of set-up,I'd need to know where

your network gets its DNS information from.

1.)   You have your own, separate in-house DNS server.

2.)   The FortiGate is acting as the DNS server for your network.

3.)   Your PC's get their DNS directly from an external DNS server.

If you're not familiar with how to determine that,

the quickest way is to drop down to a DOS prompt

(from one of your regularly-connected PC's)

and type in:    NSLOOKUP    and hit enter.

It should give you an IP address.

If the IP address isn't within your existing 192.168.1.x

subnet, then your computers are reaching out directly

to external DNS servers.

If the IP address matches the IP address of your FortiGate,

then your FortiGate is providing the DNS for your office,

which is a fairly common method.

If the IP address is for some other machine inside your office,

then obviously, you have your own in-house DNS server.

Hope this helps, for now.