cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5015
Views
5
Helpful
10
Replies

SDA Default Voice VLAN

dm2020
Level 1
Level 1

Hi All,

 

I have an SDA fabric using closed mode authentication and looking to setup a fabric site wide voice VLAN. I created a voice IP pool in the fabric and noticed that its not set as the default voice VLAN on my fabric edge ports (the default voice VLAN is critical voice vlan 2046 that is set under the default closed mode template). This means that I have to use host onboarding to set the voice VLAN on the fabric edge ports manually which is not ideal (I have over 2000 voice ports to configure)

 

From what I can see I have a couple of options:

 

1) Set the voice IP pool to critical which results in an SVI being enabled on critical voice VLAN 2046

2) Use a DNAC template to change the voice VLAN under the fabric edge 'DefaultWiredDot1xClosedAuth' template to use the VLAN ID of a regular voice IP pool.

 

I have tested and both of the above seem to work ok. I've hunted and I cant find any documentation that suggests if either of the above options are recommended or even supported. Has anyone setup anything similar before?

10 Replies 10

StevieC666
Level 1
Level 1

Hi there,

 

We've around 800 IP handsets, non Cisco, that are connected to Closed Auth FE ports. We're leveraging ISE to return the appropriate voice IP pool, depending on Fabric site, following authorisation of handset.

 

Hope this helps 

Hi @StevieC666 

 

What is the traffic type for the voice IP pool set to under the VN in your fabric, is it 'data' or 'voice'?

 

If the type is data then the above makes sense as ISE can return the VLAN name to the FE during authorization, however if its set to type voice, which can only be used for setting 'switchport voice vlan' on the FE port, then its my understanding that ISE can only return voice domain permission and not the VLAN name/ID. Based on this, the voice vlan has to be set manually on the port which is what I want to avoid.

 

Can you confirm the above in your setup?

 

 

 

StevieC666
Level 1
Level 1

Hi DM,

 

I've just grabbed screenshots of both the IP Pool/VN and auth result settings. I can't insert them on my mobile for so e reason however.

 

I can confirm that the voice type is set in the VN setup and in the auth result both Security Group and Voice Domain Permission are set.

Hi @StevieC666 

 

Thank you for checking this. So far I have been testing this by setting the VLAN under the ISE authz profile and not the security group. I will test this.

 

Can you also confirm if your FE switchports have been configured with 'switchport voice vlan' or if they use the default config with the default closed auth template?

No problem, yes we're using the Closed Auth template.

 

We've a load of other types of FE connected things that sadly we have to manually set the port config via GUI then CLI but fortunately phones just worked

Hello,

Quick and important distinction: IP phone can learn the voice VLAN over CDP or LLDP from SDA fabric switch, or not learn, it depends on the IP phone configuration.

If IP phone does NOT learn voice VLAN over CDP/LLDP, and/or if IP phone does not set VLAN tag on voice traffic, then IP phone can be authenticated and authorized into any SDA IP pool by ISE - if there is multiple endpoints connected to an SDA C3K/C9K Edge Node port (e.g. phone + PC) then each endpoint  can be authenticated and authorized into different VLAN and SGT as per here, check scenario one -> https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html#concept_4399A67822B44467858A3DD4B5613E1A

If IP phone IS setting VLAN tag learned from CDP/LLDP, then, it must the permitted access to the voice VLAN set on the switch port, since this will be the VLAN tag set by the IP phone. By default all Edge Node switch ports have a voice VLAN of 2046. It is perfectly valid and supported to permit IP phones into VLAN 2046 which is the critical voice VLAN.

Using template to change switch port voice VLAN configuration is not recommended as it could cause future conflict e.g. you change  switch port voice VLAN to 123 with template, but then at some future time the automation could change it back to 2046.

Other option to change voice VLAN on all switch ports is to do it through host onboarding screen in SDA application on DNAC, but this is too manual in nature for some folks.

Final option MIGHT be to use API to change voice VLAN on Edge Node access ports, but this is not my area of expertise. If API is preferred path forward please advise and I'll ask an SME to jump in and share what is possible from API perspective.

Cheers, Jerome

I did some further testing with a Cisco IP phone that is configured to learn voice VLAN from CDP. I configured my ISE authorisation profile to return my voice IP pool VLAN (set using either VLAN or Security Group) and voice domain permission. This places the IP phone on the voice VLAN and allows me to connect a PC to the IP phones switchport that is then authorised into a different IP pool/data VLAN. This accomplishes what I need and avoids the need to manually set the voice VLAN on the switchports. 

 

I think that this is only made possible by the presence of the default voice vlan on the port that is set by the closed mode template (switchport voice vlan 2046). With this command present, ISE can override voice VLAN 2046 to whatever I set in the authorisation profile. If I remove the closed mode template, and the associated voice vlan command, then above does not work. 

 

Looking into this further, it make sense to me to make use of the default voice VLAN 2046 as this is also set as the critical-voice VLAN in the event of an ISE failure.

 

@jedolphi - do you have any customers that are using the default/critical voice VLAN for when ISE is both available and not available? From my testing, I simply set my voice IP pool to type voice and critical and then set ISE to return only voice domain permission in my phone authorisation profile.

Hi, yep, we have customers using 2046 for production voice traffic. I checked in with one them today - no issues observed. Cheers! Jerome

braugarc
Cisco Employee
Cisco Employee

As i understand your question , you are wondering why the phones are not been place at the voice vlan during the normal behavior (when ISE is alive , up and running).


 !!!!!!!!!!!  Lets recap the critical vlan concept 


Critical VLAN
 was introduced to address the situation when the fabric edges are unable to reach the configured RADIUS servers due to some outage such as a WAN outage.  During this outage, authentications are not possible for newly  connecting endpoints.  This feature creates a “fall back” VLAN so that endpoints can successfully onboard and receive some level of access
SD-Access uses VLAN 2046 and VLAN 2047 for the critical voice VLAN and critical (data) VLAN, respectively.

 ---With that said : you can enable two vlans  one for voice and one for data as a critical for the situation when ISE is not reachable, the new endpoints connections will place at the critical vlans whit out authentication. it is recommended to use a limited access vn for this behavior but is up to you 

For the normal behavior when ISE is up and running you don't  need to configure the ports manually , your can use and is recommended to use ISE to send the instruction to the edge devices to which vlan place the endpoints 

Fallow the next instructions
For data : you need to fill the same vlan name at DNAC and ISE-Authorization_Profile
For voice : you need to enable voice-domain permission at ISE-Authorization_Profile 

See the attached images for reference

 

 01.jpg

02.jpg
03.jpg

04.jpg

05.jpg

 

 

Hi

You created a pool for the critical vlan 2046 on the DNAC so you just need to choose voice domain persmission on the authZ policy on ISE and the phones will be on vlan 2046 with the specified IP pool on DNAC as the vlan 2046 is by default on the authentication template on the Switch. 

If I understand well what you said, if I want to choose a different dynamic vlan than the 2046 for example the 1022 for phones, I can specify dynamic vlan 1022 + voice domain permission on the authZ policy on ISE and the phones will get the vlan 1022 ?

Best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco