https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4749070#M579060 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1448587">@mdsgnmds</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;good news that you solve your issue by specifying the <STRONG>VLAN</STRONG> tag on the <STRONG>Phones</STRONG>.</P> <P class="lia-align-justify">&nbsp;I would like to add the following:</P> <P class="lia-align-justify"><SPAN>. If a device advertises itself as a <STRONG>Phone</STRONG>, the default <STRONG>Smartport Macro</STRONG> is <STRONG>Phone</STRONG>.</SPAN></P> <P class="lia-align-justify"><SPAN>. If a device advertises itself as a <STRONG>Phone and Host</STRONG>, the default <STRONG>Smartport Macro</STRONG> is <STRONG>Phone+Desktop</STRONG>.</SPAN></P> <P class="lia-align-justify"><SPAN>.&nbsp;&nbsp;a device (in your case <STRONG>Grandstream GXP2170</STRONG>) attaching to a <STRONG>Port</STRONG> advertises itself as a <STRONG>Voice Endpoint</STRONG> through <STRONG>CDP</STRONG> and/or <STRONG>LLDP</STRONG></SPAN></P> <DIV id="ww2598054" class="Ex1_Example1">. <STRONG>Voice</STRONG> and <STRONG>Data VLAN</STRONG> configuration (just an example):</DIV> <PRE class="Ex1_Example1">smartport switchport trunk allowed vlan add<EM>&nbsp;voice_vlan&gt;</EM><BR />smartport switchport trunk native vlan&nbsp;<EM>&lt;native_vlan&gt;</EM></PRE> <DIV class="Ex1_Example1">&nbsp;</DIV> <DIV class="Ex1_Example1">Hope this helps !!!</DIV> Wed, 04 Jan 2023 14:32:46 GMT Marcelo Morais 2023-01-04T14:32:46Z https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748496#M579047 <P>Hello all,</P><P>I am trying to set up three CBS 350 switches to have following features:</P><P>Workstation ports have Auto Voice vlan, LAN with 802.1x and guest access for devices that don't authenticate with 1x.</P><P>In 99% cases each switch port will go to an IP Phone(Grandstream GXP2170) and a corporate computer will be connected to the passthrough PC port on the IP Phone. Guest access is for rare cases of employees connecting their private laptops.</P><P>Issue I am facing now is that if an IP phone is connected without any device in the passthrough/pc port, then it fails to get Auto Voice vlan and ends up on guest vlan. If a computer is connected to the passthrough/pc port(Does not matter if it is corporate with 1x authentication or gets a guest vlan) then the phone gets on the voice vlan without a problem.</P><P>Also the Smartport macro for IP Phone + Desktop is failing on the command: "port security discard trap 60" with error: "802.1x Guest Enable prevents executing Lock Port Disable."</P><P>Here is my config:</P><P>VLANs: LAN(3) Guest(6) Voice(10)</P><P>Port vlan: Trunk(3U,10T), Operational ports: 3U, 6G, 10T</P><P>Smartport set to auto</P><P>802.1x: Host authentication set to multiple sessions, Guest vlan enabled.</P><P>Not sure what other info is needed, so just ask what additional information I should provide.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 03 Jan 2023 13:20:11 GMT https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748496#M579047 mdsgnmds 2023-01-03T13:20:11Z https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748723#M579054 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1448587">@mdsgnmds</a>&nbsp;, as it would appear that the issue is only when a phone is connected and it's not being assigned correctly , I would verify if within the Access Accept request of the Radius server is giving you the following attributes within the phone' session (example taken from ISE attributes sent to a the endpoint' session where within the authorization profile we have the option "voice domain permission" enabled ) , there should be another attributes that are proper from the vlan assigned like Tunnel-Type that correspond to the vlan :&nbsp;</P> <P>Access Type = ACCESS_ACCEPT</P> <P>cisco-av-pair = device-traffic-class=voice</P> <P>&nbsp;</P> Tue, 03 Jan 2023 21:02:23 GMT https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748723#M579054 Rodrigo Diaz 2023-01-03T21:02:23Z https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748987#M579056 <P>Thank you for the reply, Rodrigo! Unfortunately we do not have ISE or any other 3rd party software, we use the built in Windows Server NPS. Additionally, we did not want to authenticate the phones in any way, just assign them the VLAN. So we went a way that is not so pretty - specifying the VLAN tag on the phones themselves.</P><P>This issue is now resolved, thank you!</P> Wed, 04 Jan 2023 12:38:24 GMT https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4748987#M579056 mdsgnmds 2023-01-04T12:38:24Z https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4749070#M579060 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1448587">@mdsgnmds</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;good news that you solve your issue by specifying the <STRONG>VLAN</STRONG> tag on the <STRONG>Phones</STRONG>.</P> <P class="lia-align-justify">&nbsp;I would like to add the following:</P> <P class="lia-align-justify"><SPAN>. If a device advertises itself as a <STRONG>Phone</STRONG>, the default <STRONG>Smartport Macro</STRONG> is <STRONG>Phone</STRONG>.</SPAN></P> <P class="lia-align-justify"><SPAN>. If a device advertises itself as a <STRONG>Phone and Host</STRONG>, the default <STRONG>Smartport Macro</STRONG> is <STRONG>Phone+Desktop</STRONG>.</SPAN></P> <P class="lia-align-justify"><SPAN>.&nbsp;&nbsp;a device (in your case <STRONG>Grandstream GXP2170</STRONG>) attaching to a <STRONG>Port</STRONG> advertises itself as a <STRONG>Voice Endpoint</STRONG> through <STRONG>CDP</STRONG> and/or <STRONG>LLDP</STRONG></SPAN></P> <DIV id="ww2598054" class="Ex1_Example1">. <STRONG>Voice</STRONG> and <STRONG>Data VLAN</STRONG> configuration (just an example):</DIV> <PRE class="Ex1_Example1">smartport switchport trunk allowed vlan add<EM>&nbsp;voice_vlan&gt;</EM><BR />smartport switchport trunk native vlan&nbsp;<EM>&lt;native_vlan&gt;</EM></PRE> <DIV class="Ex1_Example1">&nbsp;</DIV> <DIV class="Ex1_Example1">Hope this helps !!!</DIV> Wed, 04 Jan 2023 14:32:46 GMT https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4749070#M579060 Marcelo Morais 2023-01-04T14:32:46Z https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4749093#M579063 <P>Thank you for the reply! I actually have an issue with Smartport assignment and it seems that 802.1x authentication is the culprit.</P><P>When the switch tries to apply the macro for Phone or Phone+Desktop, it fails on step <STRONG>port security discard trap 60</STRONG></P><P>If I try to run the command manually on that port in CLI, the message is this:&nbsp;<STRONG>Port gi13: 802.1x Guest Enable prevents executing Lock Port Disable.&nbsp;</STRONG>So all the smartports that I connect Phones, or Phones+Laptops to are showing up as Smartport Type: Unknown. They do get the right VLANs and actually work though.</P><P>I have Classic Lock on all ports.</P><P>&nbsp;</P> Wed, 04 Jan 2023 15:00:35 GMT https://community.cisco.com/t5/network-access-control/ip-phone-not-getting-auto-voice-vlan-if-no-passthrough-connected/m-p/4749093#M579063 mdsgnmds 2023-01-04T15:00:35Z