Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1331
Views
0
Helpful
3
Replies

multi auth or multi domain with ip phones

jiyoung Kim
Level 1
Level 1

‎12-30-2013 12:59 AM - edited ‎03-10-2019 09:13 PM

                   Hi, we have cascade ip phone environment, and we want to authenticate all the ip phones.

when I say cascade ip phone, I mean ip phone behine ip phone behine ip phone.

which host mode is the best ?

in my test, when I use multi-domain, I can authorize only ONE ip phone to voice vlan.

switch voice vlan in interface mode is not used, I permitted voice vlan on authorization profile in ISE

also, multi-auth mode, I can authorize only ONE ip phone to voice vlan.

switch voice vlan in interface mode is not used, I permitted voice vlan on authorization profile in ISE

should I use QOS on voice vlan and use multi-auth mode?

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎12-30-2013 10:18 PM

Hi,

In all host mode scenarios only one device is allowed on the voice domain, it is usually the first device that is authorized. So when using 802.1x it is best to connect a small switch i.e. cisco 8 port 2960 and run NEAT if the infrastructure supports it. If not then set the port that needs multiple phones connected as a trunk port and run 802.1x on the smaller switch.

This in my opinion is a security measure where only one voice device can be authorized since qos prioritizes traffic on the voice vlan so connecting multiple phones on one port isn't ideal in most scenarios. You can also set the access vlan for that port to the voice vlan and build your authorization policy so if any requests that come through that port and switch and is profiled as a phone, they do not get the voice domain permission. This is a round about way but that is what ISE allows you to do, you can create policies however you wish.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

jiyoung Kim
Level 1
Level 1
In response to Tarik Admani

‎12-30-2013 10:31 PM

That's how I deployed right now, but I want to QoS on Voice vlans.

However, I do not have any knowledge about voice.

in ISE, I know I can give voice vlan with QoS, so what QoS should I give ?

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to jiyoung Kim

‎12-30-2013 10:38 PM

I am not a voice engineer but I know ISE can assign QoS for wireless using the airespace attributes, I didnt know you can dynamically assign QoS policies at the switch port level, usually at the port level that is done locally on the switch and you can assign markings based on the configuration locally on the switch and the vlan, along with class-maps and policy-maps on the layer 3 interface for the voice vlan.

I am trying to understand your implementation and not questioning your knowledge as I have not had much design on the voice side outside of 802.1x.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents