Solved: Re: Voice VLAN in ISE AuthZ profile

peter.matuska1 · ‎05-24-2021

Hi,

I have switchport voice vlan defined, the phone is auth/authz by MAB. The authz profile has Voice domain permission checked. Non-cisco IP phone is authenitcated and authorized fine, everything looks good in siwtch and ISE. But there is no connectivity on the IP phone. IPDT shows "stale" for the IP address instead of reachable. When LLDP is started the connectivity is restore (after restarting the phone). When LLDP is turned off, the connectivity is immediatly lost and IP changed from "reachable" to "stale". The issue is on Catalyst 9300. Any ideas?

thank you

howon · ‎05-27-2021

Hi, Peter. IP Phone learns voice VLAN ID via DHCP, LLDP. or CDP so will need to allow it so it can start using the voice VLAN. If you don't want to use LLDP, then you will need to configure DHCP options to let IP phone know which VLAN ID to use. Since IP phone will initially boot to the data VLAN, you need to set the DHCP option on the data VLAN configured on the interface. Once the IP phone learns the voice VLAN from data VLAN DHCP, it will reset and start sending traffic on configured voice VLAN.

View solution in original post

howon · ‎05-27-2021

Hi, Peter. IP Phone learns voice VLAN ID via DHCP, LLDP. or CDP so will need to allow it so it can start using the voice VLAN. If you don't want to use LLDP, then you will need to configure DHCP options to let IP phone know which VLAN ID to use. Since IP phone will initially boot to the data VLAN, you need to set the DHCP option on the data VLAN configured on the interface. Once the IP phone learns the voice VLAN from data VLAN DHCP, it will reset and start sending traffic on configured voice VLAN.

peter.matuska1 · ‎05-27-2021

Hi

and what is the benefit to to set it in authorization profile?

howon · ‎05-27-2021

The voice domain permission in the authorization profile is for permission. Just because the phone knows about the voice VLAN doesn't mean it will get access to the voice VLAN. By assigning voice domain permission, the IP phone can send traffic on the voice VLAN. So think of CDP/LLDP/DHCP to let the phone know what the voice VLAN is, and the RADIUS voice domain permission to allows traffic on that VLAN from the phone.

peter.matuska1 · ‎05-27-2021

Hi,

ok, because without LLDP but with permission enabled I can see the MAC address in voice VLAN but no IP is assigned.

howon · ‎06-02-2021

I can't explain the details on how the switch provides access for voice VLAN, but wouldn't read too much into that. Have you tried packet capture, is the client actually trying to get an IP on the voice VLAN? Like I mentioned you need a way to inform the IP Phone what the voice VLAN is and it has to be done via DHCP/LLDP/CDP unless hardcoded on the phone.

Rob R. · ‎01-16-2024

@howon - How does the Switch know which VLAN defined on itself is the Voice VLAN? Is this attribute learned from a single "switchport voice vlan xxx" command or some other mechanism? Hope this question makes sense..

howon · ‎01-16-2024

Yes, using 'switch port voice plan xxx' would be most straight forward way, and you may also send voice VLAN ID via RADIUS as part of dynamic VLAN assignment.