Re: Cat 3750 with Voice VLAN and Dynamic VLANs

gdinsdale · ‎10-04-2005

Morning,

Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?

Is a RADIUS server able to provide values to change the native vlan?

Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?

Thanks,

andrew.butterworth · ‎10-04-2005

Voice VLAN's and Vlan assignment via 802.1x is possible and it works as I have tested it recently. The access VLAN is supplied by the Radius server in the AV pair value 81 (Tunnel-Pvt-Group-ID). The switch must be configured for network authorisation of this to work (aaa authorization network), as well as 802.1x being configured.

Dynamic VLAN's requires the use of VMPS, this is different to 802.1x in that the client device has no involvment. The VMPS Server (usually a Cat5000 switch or a URT appliance) has a list of MAC-to-VLAN mappings, so when a device connects the switch sends a request to the VMPS server for the VLAN of the MAC address (this is a simplistic view of what actually happens). Again this works independently of Voice VLAN's so your Voice VLAN's will work with this feature.

I have to question why anyone would need dynamic VLAN's though.......... Doesn't IP switch at wirespeed ;o)

HTH

Andy

gdinsdale · ‎10-04-2005

Andy,

Thanks. So the access VLAN modifies the native VLAN? I was wondering if it only worked on access ports, rather than trunk ports.

The owner of a multi-tenant building wants to use the ACS to assign users to VLANs (via MAC addresses). It is supposed to simplify switch administration. The turn over of small companies renting space is usually quite high so the idea is that any incoming company gives over the MAC addresses of their machines, these are quickly entered into the ACS and made members of a group with a particular VLAN. It then doesn't matter which office they use, the ports will dynamically be placed into the correct VLAN. They can also then troll downstairs to the coffee bar or meeting rooms and use the copper ports and they'll be on their own VLAN straight away. Well that's the idea.

Any thoughts?

andrew.butterworth · ‎10-04-2005

Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:

interface FastEthernet0/1

switchport

switchport mode access

switchport access vlan 10

switchport voice vlan 100

!

This is effectively the same as:

interface FastEthernet0/1

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk native vlan 10

switchport trunk allowed vlan 10,100

!

The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.

With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).

QoS is not detailed anywhere here and that obviously plays an important role with voice.

In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.

Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....

HTH

Andy

gdinsdale · ‎10-04-2005

Andy,

Thanks for the switch config, I'll have to give it a go.

Regards,

Gareth