Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6096
Views
0
Helpful
3
Replies

Voice domain behavior... confirming behavior

Go to solution
paul
Level 10
Level 10

‎08-14-2018 12:30 PM

I want to confirm something I have seen for a long time, but never confirmed if this is functioning as designed.  When in closed mode on the switch port here is what I observe:

 

  1. If the authorization profile doesn't specify the Voice domain and the device, typically an IP phone, tries to use the voice VLAN on the port the switch will drop the traffic.
  2. If the authorization profile specifies the Voice domain but the device is on the data VLAN on the port the switch allows the traffic.

So Voice domain works on any device, but not setting voice domain will break IP phones trying to access voice vlan on the port.

 

That is what I have seen for year, but never confirmed if that was functioning as designed.  This is on Multi Auth.  On older IOS versions, I thought you could only have 1 voice domain device even in Multi Auth, but now I have seen ports with more than one Voice domain device function just fine.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-16-2018 05:42 AM

The behavior is different depending on auth mode (multi-host vs multi-mda vs multi-auth).  With multi-host, the phone can be authorized to voice VLAN via CDP alone--not very secure, but simple.  With multi-mda, only one endpoint is authorized for data and one for voice.  Even in open mode, voice domain permissions must be assigned to authorize phone to voice VLAN/domain.  In multi-auth, you can have multiple endpoints authorized in data domain and one for voice.  There are reported cases where phone is stuck in data domain, but if authorized for voice then expected behavior is for it to move to voice VLAN.  Originally the data domain was limited to a single VLAN, so all devices had to share the same data VLAN--first PC, for example, would get VLAN 10, then all other data endpoints had to be assigned to same VLAN.  Newer versions of IOS allow multiple data VLANs so that each endpoint can be assigned to its own data VLAN.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎08-16-2018 05:42 AM

The behavior is different depending on auth mode (multi-host vs multi-mda vs multi-auth).  With multi-host, the phone can be authorized to voice VLAN via CDP alone--not very secure, but simple.  With multi-mda, only one endpoint is authorized for data and one for voice.  Even in open mode, voice domain permissions must be assigned to authorize phone to voice VLAN/domain.  In multi-auth, you can have multiple endpoints authorized in data domain and one for voice.  There are reported cases where phone is stuck in data domain, but if authorized for voice then expected behavior is for it to move to voice VLAN.  Originally the data domain was limited to a single VLAN, so all devices had to share the same data VLAN--first PC, for example, would get VLAN 10, then all other data endpoints had to be assigned to same VLAN.  Newer versions of IOS allow multiple data VLANs so that each endpoint can be assigned to its own data VLAN.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Craig Hyps

‎08-16-2018 06:08 AM

Thanks Craig.  I think I have seen in newer IOS as well more than one device allowed in the voice VLAN, but I would have to retest.  This is all in multi-auth.  I haven't tested the multiple data VLANs on same port in a while.  I didn't know newer versions of IOS were allowing that. 

 

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to paul

‎08-16-2018 06:47 AM

Paul, your observations are expected. When device is assigned voice domain permission, the switch allows access to both data and voice VLAN. This is to accommodate IP phones without CDP/LLDP capability, which depends on DHCP to learn voice VLAN ID. By allowing temporary data VLAN access, the IP phone can boot up on data VLAN and get IP address without tagging, where it learns the voice VLAN, then restarts network interface with voice VLAN ID tag to get IP from the voice VLAN.

However, one voice device requirement still holds true on a given interface. You may be able to assign multiple devices with voice domain permission to the same interface, however, you won’t be able to send traffic from more than one device in voice VLAN.

Note that it is not the newer IOS that supports multi-VLAN assignment, rather specific platform supports the feature; 3850, 3650, and 2960X.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents