Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7302
Views
0
Helpful
4
Replies

CIsco ISE and dynamic Voice Vlan assigment

Go to solution
swenska
Level 1
Level 1

‎02-21-2019 02:50 AM - edited ‎03-08-2019 07:13 PM

Hello everybody,

 

we have a ISE deployment with Cisco Catalyst 3560, 3750, 3650 Switches. We use Unify, Avaya and Alcatel Phones and want to seperate them in different voice vlans. 

 

So our idea was to push the voice vlan on to the access ports. Is there are a way to push different voice vlans to the ports?

Our current port config looks like that:

 

network-policy 713
switchport mode access
ip device tracking maximum 10
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 8
no lldp med-tlv-select power-management
spanning-tree portfast

 

network-policy profile 713
 voice vlan 13

 

The ISE is pushing a Authz Result with Voice Permission and a Vlan ID. 

 

The authentication on the switch itself false

 


MAC Address: aabb.ccdd.eeff
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: mschap-username
Status: Unauthorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A1BF1E200000101B6B357DF
Acct Session ID: Unknown
Handle: 0x1D00009C
Current Policy: POLICY_INTERFACE

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Method status list:
Method State

dot1x Authc Success

 

and the following event is logged:

Feb 21 11:42:06: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client

 

Any ideas or suggestions?

 

Thanky you for your help

 

Regards

Sven

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to swenska

‎02-22-2019 08:05 AM

Yes, should work but if I recall you need to have the following:

- Default voice VLAN configured on the interface: run 'switchport voice vlan XXX' to assign a default voice VLAN

- Send voice domain permission (Which I believe you are already doing)

- Change the host-mode to multi-domain

- Since using 3rd party phone enable LLDP: Using DHCP to provide voice VLAN ID will be tricky since you have different vendor phones connecting, so will need to use LLDP to share voice VLAN from the switch to the phones

I believe all of the Catalyst models you mentioned should be able to support it, but suggest testing all three independently in case one of the model may not.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-21-2019 04:39 AM

Hi, ISE doesn't override voice vlan. It allows the use of voice vlan using
voice domain feature.
0 Helpful

Go to solution
swenska
Level 1
Level 1
In response to Mohammed al Baqari

‎02-21-2019 04:55 AM

Hi Mohammed,

 

sorry for the misunderstanding. I am aware of the "Voice Permission" parameter. 

 

I need to push the endpoint to the voice domain AND what to push a dynmaic voice vlan id.

 

Thank you for your help

 

Regards

Sven

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to swenska

‎02-22-2019 08:05 AM

Yes, should work but if I recall you need to have the following:

- Default voice VLAN configured on the interface: run 'switchport voice vlan XXX' to assign a default voice VLAN

- Send voice domain permission (Which I believe you are already doing)

- Change the host-mode to multi-domain

- Since using 3rd party phone enable LLDP: Using DHCP to provide voice VLAN ID will be tricky since you have different vendor phones connecting, so will need to use LLDP to share voice VLAN from the switch to the phones

I believe all of the Catalyst models you mentioned should be able to support it, but suggest testing all three independently in case one of the model may not.

0 Helpful

Go to solution
samuel.heinrich
Level 1
Level 1
In response to howon

‎01-19-2020 04:24 AM

I think i run into the same issue.

 

the default port config on the switches look like this

 

switchport access vlan yyy

switchport mode access

switchport vocie vlan xxx

 

for voice devices which support vlan discovery via lldp/cdp it works fine to push the "Voice Permission" via ISE.

Unfortunatelly we also have voice devices on the same switches, which need the voice vlan natively (switchport access vlan xxx).

the problem is, that the switch can not apply the access vlan xxx, as long as it has the voice vlan xxx hardcoded on the switchport. 

so the idea here was to have the default switchport config look like this

 

switchport access vlan yyy

switchport mode access

 

and assign the voice vlan dynamically either with "voice permission" or "natively".  but since there is no attribute to push voice vlan ID within the Voice domain, i guess i'll have to move those voice clients to a different vlan. 

 

 

0 Helpful
Customers Also Viewed These Support Documents