VoIP and 802.1x
Hi,
at the moment we run mitel phones that get tehre vlan information from a DHCP server
so the processes is
Boot on to vlan A (default vlan) and request an IP address.
Server responds with options that tell it to use VLAN B (voice vlan)
Phone reboots on to vlan B and all is well.
Now I am implementing 802.1x (again), aned in the past I have used Mac bypass to deal with the phones.
However I read the following
802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets
from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
This seems to suggest that there is no need to authenticate the phone, I should be able to use CDP to assign the phone to the voice vlan and then it will work as the voice vlan is not authenticated. Trouble is that on the cisco switch it does not assign the phone via CDP or LLDP, it always times out an moved to DHCP.
So question is does any one know how to get a non cisco IP phone to pick up the Voice vlan details via CDP?
Cheers
at the moment we run mitel phones that get tehre vlan information from a DHCP server
so the processes is
Boot on to vlan A (default vlan) and request an IP address.
Server responds with options that tell it to use VLAN B (voice vlan)
Phone reboots on to vlan B and all is well.
Now I am implementing 802.1x (again), aned in the past I have used Mac bypass to deal with the phones.
However I read the following
802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
• VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone
connected to the port.
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP
phone. The PVID is the native VLAN of the port.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This
allows the phone to work independently of 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode,
additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID.
When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the
VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the
first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices.
As a result, if several IP phones are connected in series, the switch recognizes only the one directly
connected to it. When 802.1x authentication is enabled on a voice VLAN port, the switch drops packets
from unrecognized IP phones more than one hop away.
When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
This seems to suggest that there is no need to authenticate the phone, I should be able to use CDP to assign the phone to the voice vlan and then it will work as the voice vlan is not authenticated. Trouble is that on the cisco switch it does not assign the phone via CDP or LLDP, it always times out an moved to DHCP.
So question is does any one know how to get a non cisco IP phone to pick up the Voice vlan details via CDP?
Cheers
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
just testing on a spare switch so missing most of the 802.1x config
interface GigabitEthernet2/0/15
switchport mode access
switchport voice vlan 10
authentication port-control auto
mls qos trust cos
dot1x pae authenticator
end- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
