Solved: Removing Voice Vlan in DNAC for SDA switches

mvm · ‎12-22-2021

Actually we are migrating several floors to the SDA fabric. We run into a problem with VoIP Phones that are running in the Data domain and we saw that SDA provisions a default voice vlan on every switch.

Is there a way (beside CLI templates) to disable this function?

Thanks!

Mike.Cifelli · ‎12-23-2021

Is there a way (beside CLI templates) to disable this function?

-So AFAIK your best bet is to rely on the template editor to make a default voice vlan change. Then re-prov NADs to get desired changes. Not sure what default template your are using (closed/open/etc.), but pay attention to your source template <name> config. This is where the voice vlan is being referenced. I would recommend setting up the changes via template editor, and test locally on one NAD before mass deployment to see if it meets your needs. HTH!

View solution in original post

mvm · ‎12-27-2021

Thanks.

We're running low impact mode. Using the template editor is exactly what we did. But from my opinion there should be more elegible options configuring the dot1x parameters under the Host Onboarding settings. Actually your answer seems the only possible solution.

View solution in original post

Mike.Cifelli · ‎12-23-2021

Is there a way (beside CLI templates) to disable this function?

-So AFAIK your best bet is to rely on the template editor to make a default voice vlan change. Then re-prov NADs to get desired changes. Not sure what default template your are using (closed/open/etc.), but pay attention to your source template <name> config. This is where the voice vlan is being referenced. I would recommend setting up the changes via template editor, and test locally on one NAD before mass deployment to see if it meets your needs. HTH!

mvm · ‎12-27-2021

Thanks.

We're running low impact mode. Using the template editor is exactly what we did. But from my opinion there should be more elegible options configuring the dot1x parameters under the Host Onboarding settings. Actually your answer seems the only possible solution.

Rajesh Kongath · ‎12-26-2021

Do you have selected any Voice IP Pool selected as critical pool?

mvm · ‎12-27-2021

No we didn't select a Voice Pool, we're running all the Clients and Phones in one IP Pool. Our colleagues don't want to change the Phone settings, so we had to use the template editor removing the voice vlan in one of the default Dot1x templates.

Default template pushed from DNAC:

template DefaultWiredDot1xLowImpactAuth
dot1x pae authenticator
dot1x timeout supp-timeout 5
dot1x max-req 3
switchport mode access

switchport voice vlan 2046
mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB

After using the template editor the voice vlan is not present anymore

template DefaultWiredDot1xLowImpactAuth
dot1x pae authenticator
dot1x timeout supp-timeout 5
dot1x max-req 3
switchport mode access

mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xLowImpactAuth_1X_MAB

Rajesh Kongath · ‎12-27-2021

Hi MVM

The 2046 VLAN is created while your select critical voice vlan. I assume another solution foe your problem is remove the critical vlan. Details can be found at

https://community.cisco.com/t5/networking-documents/critical-vlan-with-sd-access/ta-p/4038644

mvm · ‎12-28-2021

Hi Rajesh,

thanks, that's a really good documentation for critical VLAN

In our case the critical pool is not enabled. So independently of that it seems that the voice vlan is default in SDA. So still it's something that should be made visible in the fabric settings.