Cisco C1300 Voice vlan via radius like an ios switch? Possible or not?

BURKHARD LANDWEHR · ‎03-24-2025

Hi, Cisco promotes the Catalyst C1300 as the successor to the C1000, but it lacks key features like proper RADIUS-based Voice VLAN assignment and multi-domain authentication. This is misleading, as the C1300 cannot handle enterprise-level voice/data separation the same way the C1000 or Catalyst IOS-based switches do.

Any Workaround?

regards Burkhard

PS Unfortunally our customer bought a lot... without a pilot...

Arne Bier · ‎03-24-2025

Ufff - not fun. I've never worked with (or even heard of) one of these switches.

I suppose, since you can only operate one active access VLAN at the same time, both voice and data traffic would land in the same VLAN. And that is the issue, right? How to keep those separate. Apart from the Catalyst DATA/VOICE domain feature, the only other option would be 802.1Q trunking - but very few endpoints would even support that - so that's out of the question. Can the C1300 do Private VLANs (I have dark memories of this in my CCNA days ... but never seen it in production).

Keen to hear what others suggest.

Dustin Anderson · ‎03-24-2025

Not even sure since it lists voice vlan. But not sure how/what is used to define it.

VLAN

Support for up to 4093 VLANs simultaneously

Port-based and 802.1Q tag-based VLANs, MAC-based VLAN, protocol-based VLAN, IP subnet-based VLAN

Management VLAN

Private VLAN with promiscuous, isolated, and community port

Private VLAN Edge (PVE), also known as protected ports, with multiple uplinks Guest VLAN, unauthenticated VLAN

Dynamic VLAN assignment via RADIUS server along with 802.1X client authentication Customer premises equipment (CPE) VLAN

Auto surveillance VLAN (ASV)

Voice VLAN

Voice traffic is automatically assigned to a voice-specific VLAN and treated with appropriate levels of QoS. Voice Services Discovery Protocol (VSDP) delivers networkwide zero-touch deployment of voice endpoints and call control devices

Arne Bier · ‎03-24-2025

The CLI guide gives a glimmer of hope

Example

The following example enables OUI voice VLAN configuration on gi1/0/2.

switchxxxxxx(config)# interface gi1/0/2
switchxxxxxx(config-if)# voice vlan enable

And it looks like the dumbed it down to allowed MAC OUI prefixes to make some kind of kindergarten plug and play scenario - I don't know if MAB/802.1X will work here:

Default Configuration

The default voice VLAN OUI table is:


OUI	Description
00:01:e3	Siemens AG Phone
00:03:6b	Cisco Phone
00:09:6e	Avaya Phone
00:0f:e2	Huawei-3COM Phone
00:60:b9	NEC/Philips Phone
00:d0:1e	Pingtel Phone
00:e0:75	Veritel Polycom Phone
00:e0:bb	3COM Phone

What you'd have to find out (perhaps have to resort to opening a TAC case) is what RADIUS attributes are required to achieve the same thing that we would do on a Catalyst (Cisco AVPair to enable voice domain).

BURKHARD LANDWEHR · ‎03-24-2025

I figured out this:
Interface:
interface GigabitEthernet1
dot1x host-mode multi-sessions
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto

Radius Result:
Access Type = ACCESS_ACCEPT
Tunnel-Medium-Type = 0:6
Tunnel-Private-Group-ID = 0:20
Tunnel-Type = 0:13

SW-Test-01#show dot1x users

MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi1 001AE8DFC791 00:1a:e8:df:c7:91 MAC Remote 08:16:58 20
gi1 9829A6879BE8 98:29:a6:87:9b:e8 MAC Remote 08:17:15 1

Tomorrow I will check if the customer could work...

Than every device get´s the right vlan and is possible two have more than one vlan per port.

Arne Bier · ‎03-24-2025

Looks like you are making progress. But I don't believe that you can make every endpoint session have its own VLAN - that's not how access interfaces work - and access mode interface can only operate on a single VLAN - sure, you can dynamically change it via RADIUS, but that affects the entire interface (and all authorized endpoints on that interface will be in the same VLAN).

Did you find out how to tell the C1300 that and endpoint must use the voice VLAN?

BURKHARD LANDWEHR · ‎03-25-2025

It seems to be, that the c1300 is exact doing this. Look in the documentation (attached). Problematical scentense: Tagged traffic belonging to the unauthenticated VLANs is always bridged regardless if a host is authorized or not. But when you read the whole text it should be possible to "redirect" the taffic in the guest vlan which could be a black hole. Voice-VLAN is not possible like in IOS.

sh mac address-table | i gi1
1 98:29:a6:87:9b:e8 gi1 dynamic
20 00:1a:e8:df:c7:91 gi1 dynamic

sh ip dhcp snooping binding
Total number of binding: 4

MAC Address IP Address Lease (sec) Type VLAN Interface
------------------ --------------- ------------ ---------- ---- ----------
34:b8:83:a5:3d:dc 10.17.31.73 39351 learned 1 gi47
98:29:a6:87:9b:e8 10.17.31.22 39334 learned 1 gi1
a2:56:76:0e:83:28 10.40.68.102 1648 learned 4 gi47
00:1a:e8:df:c7:91 10.10.94.119 64412 learned 20 gi1

This radius profile works also, names are allowed too.
Access Type = ACCESS_ACCEPT
Tunnel-Medium-Type = 0:6
Tunnel-Private-Group-ID = 0:TK-Anlage
Tunnel-Type = 0:13

Access Type = ACCESS_ACCEPT
Tunnel-Medium-Type = 0:6
Tunnel-Private-Group-ID = 0:Data
Tunnel-Type = 0:13

interface GigabitEthernet46
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x max-hosts 3
dot1x port-control auto

Multi-Sessions Mode

Unlike the single-host and multi-host modes (port-based modes) the multi-sessions mode manages the authentication status for each host connected to the port (session-based mode). If the multi-sessions mode is configured on a port the port does have any authentication status. Any number of hosts can be authorized on the port. The command can limit the maximum number of authorized hosts allowed on the port.

Each authorized client requires a TCAM rule. If there is no available space in the TCAM, the authentication is rejected.

When using the dot1x host-mode command to change the port mode to single-host or multi-host when authentication is enabled, the port state is set to unauthorized.

If the dot1x host-mode command changes the port mode to multi-session when authentication is enabled, the state of all attached hosts is set to unauthorized.

To change the port mode to single-host or multi-host, set the port (dot1x port-control) to force-unauthorized, change the port mode to single-host or multi-host, and set the port to authorization auto.

Tagged traffic belonging to the unauthenticated VLANs is always bridged regardless if a host is authorized or not.

When the guest VLAN is enabled, untagged and tagged traffic from unauthorized hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.

Traffic from an authorized hosts is bridged in accordance with the port static configuration. A user can specify that untagged and tagged traffic from the authorized host not belonging to the unauthenticated VLANs will be remapped to a VLAN that is assigned by a RADIUS server during the authentication process.

The switch does not remove from FDB the host MAC address learned on the port when its authentication status is changed from authorized to unauthorized. The MAC address will be removed after the aging timeout expires.

802.1x enabled on a port associated with a port channel has the following limitations:

Only the 802.1X-based authentication is supported.

Only the multi-host (legacy 802.1x mode) mode is supported.