07-11-2022 12:52 AM
Hi all,
i'm trying to understand a very strange behaviuor of a Catalyst 3650. The switch authenticates user by using ISE 2.7. I configured some authorization profile, on of which is dedicated for IP phones. This profile contains a voice VLAN assignments. For completness i'm using Polycom VVX 201. This polycom is CDP and LLDP capable.
When i attach the phone to the switch, it gest assign to a "welcome" vlan (voice vlan 201). This vlan is just an empty container, it does not have a L3 interface or DHCP relay config. At this point, the phone gets correct bauthenticated. ISE sends all the authorization profile informaztion within the Access-Accept packets. From now on the phone will be stuck in the welcome vlan besides been assign to the vlan associated to the authorization profile (707).
I've captured some packets with wireshark and i've seen that if CDP is enabled (on the switch interface or within the Polycom), switch send a CDP packet in which there is the "VoIP Vlan Reply" field set to 201 (instead of 707).
While turning off CDP (at the interface side with "no cdp enable" interface command or at the Polycom side) switch send an LLDP packets in which there is the corrct VLAN information (707).
Have you ever seen a scenario like this one?
07-11-2022 11:20 PM
friend,
you config open auth,
open auth making SW authz the traffic before if full auth from ISE, this meaning that SW send CDP with voice VLAN config under switch port and not wait dyanmic voice vlan from ISE.
remove auth open and see result.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide