I have an SDA fabric using closed mode authentication and looking to setup a fabric site wide voice VLAN. I created a voice IP pool in the fabric and noticed that its not set as the default voice VLAN on my fabric edge ports (the default voice VLAN is critical voice vlan 2046 that is set under the default closed mode template). This means that I have to use host onboarding to set the voice VLAN on the fabric edge ports manually which is not ideal (I have over 2000 voice ports to configure)
From what I can see I have a couple of options:
1) Set the voice IP pool to critical which results in an SVI being enabled on critical voice VLAN 2046
2) Use a DNAC template to change the voice VLAN under the fabric edge 'DefaultWiredDot1xClosedAuth' template to use the VLAN ID of a regular voice IP pool.
I have tested and both of the above seem to work ok. I've hunted and I cant find any documentation that suggests if either of the above options are recommended or even supported. Has anyone setup anything similar before?
We've around 800 IP handsets, non Cisco, that are connected to Closed Auth FE ports. We're leveraging ISE to return the appropriate voice IP pool, depending on Fabric site, following authorisation of handset.
Hope this helps
What is the traffic type for the voice IP pool set to under the VN in your fabric, is it 'data' or 'voice'?
If the type is data then the above makes sense as ISE can return the VLAN name to the FE during authorization, however if its set to type voice, which can only be used for setting 'switchport voice vlan' on the FE port, then its my understanding that ISE can only return voice domain permission and not the VLAN name/ID. Based on this, the voice vlan has to be set manually on the port which is what I want to avoid.
Can you confirm the above in your setup?
I've just grabbed screenshots of both the IP Pool/VN and auth result settings. I can't insert them on my mobile for so e reason however.
I can confirm that the voice type is set in the VN setup and in the auth result both Security Group and Voice Domain Permission are set.
Thank you for checking this. So far I have been testing this by setting the VLAN under the ISE authz profile and not the security group. I will test this.
Can you also confirm if your FE switchports have been configured with 'switchport voice vlan' or if they use the default config with the default closed auth template?
No problem, yes we're using the Closed Auth template.
We've a load of other types of FE connected things that sadly we have to manually set the port config via GUI then CLI but fortunately phones just worked
Quick and important distinction: IP phone can learn the voice VLAN over CDP or LLDP from SDA fabric switch, or not learn, it depends on the IP phone configuration.
If IP phone does NOT learn voice VLAN over CDP/LLDP, and/or if IP phone does not set VLAN tag on voice traffic, then IP phone can be authenticated and authorized into any SDA IP pool by ISE - if there is multiple endpoints connected to an SDA C3K/C9K Edge Node port (e.g. phone + PC) then each endpoint can be authenticated and authorized into different VLAN and SGT as per here, check scenario one -> https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/sec/b_173_sec_9300_cg/configuring_ieee_802_1x_port_based_authentication.html#concept_4399A67822B44467858A3DD4B5613E1A
If IP phone IS setting VLAN tag learned from CDP/LLDP, then, it must the permitted access to the voice VLAN set on the switch port, since this will be the VLAN tag set by the IP phone. By default all Edge Node switch ports have a voice VLAN of 2046. It is perfectly valid and supported to permit IP phones into VLAN 2046 which is the critical voice VLAN.
Using template to change switch port voice VLAN configuration is not recommended as it could cause future conflict e.g. you change switch port voice VLAN to 123 with template, but then at some future time the automation could change it back to 2046.
Other option to change voice VLAN on all switch ports is to do it through host onboarding screen in SDA application on DNAC, but this is too manual in nature for some folks.
Final option MIGHT be to use API to change voice VLAN on Edge Node access ports, but this is not my area of expertise. If API is preferred path forward please advise and I'll ask an SME to jump in and share what is possible from API perspective.
I did some further testing with a Cisco IP phone that is configured to learn voice VLAN from CDP. I configured my ISE authorisation profile to return my voice IP pool VLAN (set using either VLAN or Security Group) and voice domain permission. This places the IP phone on the voice VLAN and allows me to connect a PC to the IP phones switchport that is then authorised into a different IP pool/data VLAN. This accomplishes what I need and avoids the need to manually set the voice VLAN on the switchports.
I think that this is only made possible by the presence of the default voice vlan on the port that is set by the closed mode template (switchport voice vlan 2046). With this command present, ISE can override voice VLAN 2046 to whatever I set in the authorisation profile. If I remove the closed mode template, and the associated voice vlan command, then above does not work.
Looking into this further, it make sense to me to make use of the default voice VLAN 2046 as this is also set as the critical-voice VLAN in the event of an ISE failure.
@jedolphi - do you have any customers that are using the default/critical voice VLAN for when ISE is both available and not available? From my testing, I simply set my voice IP pool to type voice and critical and then set ISE to return only voice domain permission in my phone authorisation profile.