The place I’m currently working has an IP telephony system. Each phone has an extra LAN port which you can plug a laptop into.
All very handy, but the port is trunked so plugging my Apple Powerbook 12″ into it doesn’t result in any sort of useful connection.
Googling around indicates that only OS X Server (10.3.3 onwards) has a GUI tool for configuring VLANs on an Ethernet port. The OS X client that you get on your iBook, iMac, Powerbook and PowerMac as standard doesn’t have anything obvious for VLAN support.
Digging further reveals that the standard Terminal ifconfig does support VLAN commands.
sudo ifconfig vlan0 create
sudo ifconfig vlan0 vlan VLAN-TAG vlandev en0
sudo ipconfig set vlan0 DHCP
The first line creates the VLAN pseudo device vlan0, the second line that connects that device to the physical ethernet port (in this case en0) and tells the machine which VLAN tag to use.
You will need to replace VLAN-TAG with the relevant VLAN tag which your network administrator should be able to supply you with.
The third line sets the vlan0 pseudo device to use DHCP. If you need to set up a static IP address use something along the following two lines instead:-
sudo ifconfig vlan0 inet 192.168.0.10 netmask 255.255.255.0
and then
sudo route add default 192.168.0.1
to set your default gateway.
When you've finished with the VLAN connection you can destroy the pseudo-device with:-
sudo ifconfig vlan0 destroy
The Ethernet port in my Powerbook 12" (2005 model) supports VLANs, and I suspect the ports on most recent Macs will be the same.
Hmm from my Cisco course that sounds odd Why are they trunking the access link you normaly just do the vertical’s and any servers that need to be un multiple lans.
dont thay have one socket for phones and one for pc’s
I could see the network guys wanting to keep “normal” ethernet trafic off the VIOP.
Rgds M
The desks are set up with one connection for a PC (untrunked) and another (trunked) for the phones. I have a PC on my PC connection but wanted a wired connection for my Mac, hence the use of the trunked phone connection.
Not sure why they’ve trunked the phone connection, but I’m sure they have a good reason.
Hmm
Thinking some more about may be there using trunks to reserve bandwidth for viop.
But quite you would do that on the acess link’s ime not shure what that buys them – stops people like you and me adding there own kit.
But in that case I would have thought locking things down by mac address would be better and then you could just plug a phone/pc in and it gets put into the correct Vlan automaticly.
Rgds M
This is a helpful piece of information but the Mac system configuration services blow the bsd layer configs away if you ever go into the network settings or reboot the machine. So it seems kind of risky and not stable enough to be a good solution, at least not to use in production.
I really wish I could figure out how to get this working on a mini running plain old OS X workstation, because I don’t know whether it makes sense to drop $800 on a copy of Server — only to find out whether Server even supports VLANs on the Mac mini’s NIC? I know it works under ifconfig using these commands, though.
Oh, and I forgot to mention – any mac with ARD client installed has the networksetup binary (and systemsetup) buried inside. Run them with -help to see a list of helpful commands and examples.
Look in
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support
Thanks for the info, Thom.
I’ve not used ARD so didn’t know that included the network setup stuff.
Hi. Anyone knows of a way to perform double tagging (QinQ) instead of just adding one tag?
Regarding the IP phone PC port, I’ve dealt with some deployments of IP telephony and I’ve never seen any phone that requires the Mac/PC to tag its own traffic. That’s up to the phone and in fact the phone tags the voice traffic for QOS reasons (.1p) leaving the MAc/PC traffic untagged (.1q native vlan) on the connection between the phone and the switch. And VTP is a Cisco protocol for exchanging vlan info, not for trunking (that’s DTP). Hope it helps! ๐
[…] Tech Llama รยป Blog Archive รยป OS X Client on trunked VLAN (tags: macosx vlan) […]
Hi. I would also be interested how you could listen to various vlan’s? (We’ve got a streaming-server which should be accessible on all 4 vlan’s) Or can I just add more taggs to the same Ethernet-Device?
thank you, bro
Hi! Does anybody know, how to set vlans in the boot time
In Mac OS X 10.5 Leopard there’s actually a GUI for VLAN management now.
In System Preferences>Network Settings, at the bottom of the interface list is a ‘cog’ icon, which offers “Manage Virtual Interfaces”.
If you select this, you get another window listing virtual interfaces (of which there are usually none).
If you click the ‘+’ button you get options to add a VLAN or add a link aggregate. Selecting the VLAN option lets you set up a VLAN name, tag and which physical interface it connects to.
Late reply, but sounds pretty normal to me, hes got 2 ethernet connection, one to his PC which will be untagged on say vlan 1 and one that would go to his phone, tagged on vlan 1 & 2.
If the phone was plugged in, it would use vlan 2 for voip and should pass vlan 1 traffic, untagged, out of another interface for plugging another pc in.
The phone should be removing the vlan tag so you dont need to mess about like this though.
late reply…..
Quite normal – though the armchair admin would probably say the phone vlan would not normally have internet access, and messing about with that might get you in crap (unless you’er the guy in charge, of course)
What it buys you, designing the network,is a few things – first, a separate vlan for voip traffic lets you do better QOS – it’s a dedicated lan for the phones. Why tagged, and not native? Principally because most voip phone handsets these days specifically let you tell them they will be receiving tagged traffic for voice, and provide another port to passthrough clear traffic to the PC.
Growing out of that – even if not using that feature, using tagged-only traffic lets you prevent accidents…. joe average plugging his PC in will just say “Hmm, doesnt’ work” – call IT and get a lecture. From there, the scale just goes up in sophistication as to how IT has things configured, they may not accept native traffic at all, alarms might go off, etc etc etc.
Using tagged traffic makes it easier to prevent vlans from being bridged…. two native ports on different vlans makes it too easy. Or… that’s just how the installers set it up and there’s no real reason at all ๐