Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
Discussions
Off Topic
VoIP and 802.1x
DevilWAH
Hi,
at the moment we run mitel phones that get tehre vlan information from a DHCP server
so the processes is
Boot on to vlan A (default vlan) and request an IP address.
Server responds with options that tell it to use VLAN B (voice vlan)
Phone reboots on to vlan B and all is well.
Now I am implementing 802.1x (again), aned in the past I have used Mac bypass to deal with the phones.
However I read the following
802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets
from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
This seems to suggest that there is no need to authenticate the phone, I should be able to use CDP to assign the phone to the voice vlan and then it will work as the voice vlan is not authenticated. Trouble is that on the cisco switch it does not assign the phone via CDP or LLDP, it always times out an moved to DHCP.
So question is does any one know how to get a non cisco IP phone to pick up the Voice vlan details via CDP?
Cheers
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
DevilWAH
just testing on a spare switch so missing most of the 802.1x config
interface GigabitEthernet2/0/15
switchport mode access
switchport voice vlan 10
authentication port-control auto
mls qos trust cos
dot1x pae authenticator
end
it_consultant
*EDIT* missed the question in my original reply.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
