Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7722
Views
19
Helpful
7
Replies

Can you use ISE to force a device to Voice Vlan

Go to solution
JHarris6117
Level 1
Level 1

‎08-07-2018 10:16 AM - edited ‎03-11-2019 01:47 AM

Hello everyone,

 

We have a situation where a device is connecting to the network and is unable to tell the switch it should be on the voice vlan, when it should be.  Does anyone know if there is a way to tell the switch via ISE that this interface should be set to the voice vlan only?

 

We enabled the voice permission option on the auth results, and what this does is place the devices mac in both the data and voice domain, however the client stays on the data domain and does not grab a new address on the voice domain.

 

interface GigabitEthernet0/9
switchport access vlan 2160
switchport mode access
switchport voice vlan 2161 <-- Want the device to only access voice vlan, not access vlan

 

Vlan Mac Address Type Ports
---- ----------- -------- -----
2160 7845.0101.1635 STATIC Gi0/9 <-- Want this to disapear, keeping the device on vlan 2161 only
2161 7845.0101.1635 STATIC Gi0/9 
Total Mac Addresses for this criterion: 2

 

Thanks in advance!

 

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-14-2018 01:02 PM

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

View solution in original post

7 Replies 7

Go to solution
Christopher Bell
Level 4
Level 4

‎08-07-2018 10:57 AM

Are you authenticating connections on the switch port using RADIUS?  If so, this is pretty straight forward using RADIUS attributes. 

 

Policy --> Policy Elements -> Results --> Authorization --> Authorization Profiles

Check VLAN under Common Tasks and include the VLAN number in the ID/Name field. 

 

You should be able to use this in your authorization rules for the the policy set after this.  Of course, the switch needs to be configured to accept this attribute and shift the VLAN. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
JHarris6117
Level 1
Level 1
In response to Christopher Bell

‎08-07-2018 11:07 AM

Chris,

Thanks for the response.. I'd like to accomplish this without needing to put a vlan number in the ISE configuration. We have 40 + IDF's each with different voice vlans,, you could imagine the number of results / profiles would be pretty large. Is there any way to tell the switch port to force this device to the voice vlan thats already configured, and not use the data (access) Vlan?

Thanks,
0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to JHarris6117

‎08-07-2018 11:15 AM - edited ‎08-07-2018 11:17 AM

Your post asked if there was anyway to use ISE to accomplish this - sorry for the confusion. Other than configuring the voice vlan on the switchport, I'm not sure what else you could do to force the device into the correct vlan.  You might find this post helpful however:

https://community.cisco.com/t5/switching/assign-vlan-based-on-mac/td-p/2622878

 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-14-2018 01:02 PM

In your ISE Authorization Policy @ Policy > Policy Elements > Results > Authorization > Authorization Profiles you should have a default Cisco_IP_Phones profile included. If you edit it you will see the Voice Domain Permission which is the setting you want! If you scroll to the bottom and look at the Attribute Detail you will see checking that box corresponds to the RADIUS attribute

cisco-av-pair = device-traffic-class=voice

 

Whatever authorization policy you are assigning for these voice devices, be sure to check that box and that is how ISE tells the switch to put it in the Voice VLAN!

 

Go to solution
Rob R.
Level 1
Level 1

‎01-16-2024 07:39 AM

@thomas  - How does the Switch know which VLAN on itself is the VOICE VLAN? Is this via the VLAN Name or some other attribute? The Checkbox within ISE is "voice domain permission" but I'm curious how the switch knows which specific VLAN that is defined on itself. 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Rob R.

‎01-16-2024 08:10 AM

@Rob R. : This is an extremely old thread. I suggest asking a new question to the community.

Go to solution
Peter Koltl
Level 7
Level 7
In response to Rob R.

‎02-02-2024 02:39 AM

It is the VLAN that is specified with the 

switchport voice vlan 

command under the interface configuration. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents