cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4498
Views
10
Helpful
6
Replies

Use 802.1x to assign alternate voice VLAN

Good afternoon all,

 

I'm looking for a way for our 802.1x server to return an alternate voice VLAN ID number for the switch to use. For example, if the standard port config is:

 

switchport access vlan 10

switchport voice vlan 20

 

we want to be able to have the 802.1x server reply to the switch saying "the voice VLAN should be 15" and have the voice VLAN dynamically set to VLAN 15 by the switch. We already have Cisco-AVPair = device-traffic-class=voice to auth the voice VLAN device, but we still need to be able to pass back something to change the voice VLAN ID. Is this possible? If it makes any difference, we're using Aruba ClearPass and use Cisco 9200 and 2960X switches.

 

Thanks in advance!

Jeremy

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

I don't believe there is any VSA for dynamic voice VLAN assignment as per the standard. The voice VLAN is a special kind of VLAN and there are various caveats and limitations associated with it as well as functions on the phone that rely on it (like the phone discovering the voice VLAN via CDP/LLDP). Dynamically changing the voice VLAN would likely cause race conditions and other issues with the phone operations.

View solution in original post

6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

I don't believe there is any VSA for dynamic voice VLAN assignment as per the standard. The voice VLAN is a special kind of VLAN and there are various caveats and limitations associated with it as well as functions on the phone that rely on it (like the phone discovering the voice VLAN via CDP/LLDP). Dynamically changing the voice VLAN would likely cause race conditions and other issues with the phone operations.

Thanks Greg! Bummer. We're trying to figure out how to avoid a condition where we need to set the access VLAN to the voice VLAN ID, e.g. VG224 or 3rd party SIP device, while avoiding the conflict of having the access and voice VLANs be the same, which is obviously restricted in 802.1x world. It sounds like the only thing to do is just remove the switchport voice vlan command on such ports or set the voice VLAN to be some blackhole VLAN. Would you agree?

Panos Bouras
Level 1
Level 1

Hi Jeremy,

 

You can try to use interface templates, maybe the following link will help you:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/8021x/116838-configure-identity-00.html

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Hi Panos,

 

Unfortunately, we don't have ISE, we are using ClearPass. Thoughts?

 

Thanks,

Jeremy

Hi Jeremy,

 

You can setup an ISE lab, capture the RADIUS response to the switch and try to re-create that in Clearpass via a custom RADIUS dictionary or something similar.

Apologies but I'm not familiar with Clearpass.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

piesio.marcin
Level 1
Level 1

have you ever got this working, having the same issue, also on cppm ? 

would love return dynamic voice vlan to phones