View Only
last person joined: 18 hours ago 

Expand all | Collapse all

5130 EI and 5140 EI - Voice Vlan

This thread has been viewed 8 times
  • 1.  5130 EI and 5140 EI - Voice Vlan

    Posted Nov 28, 2023 06:42 AM

    Dear Experts, 

    I need to understand that is it possible in CW7 to apply Voice Vlan dynamically or at some point we need to define it statically like when telling the IP phone which vlan to use for tagging the traffic?

    There are some commands that need to be defined statically on port like below

    ldp tlv-enable dot1-tlv protocol-vlan-id

    lldp tlv-enable med-tlv network-policy 180

    So i dont see any benefit of sending voice vlan via radius if we have to define it ultimately on the port as well?

  • 2.  RE: 5130 EI and 5140 EI - Voice Vlan

    Posted Nov 29, 2023 02:36 AM

    The solution depends on the way the phone is setup. We have 100% dynamic assignment of VLANs to all devices. Phones have PC's plugged into the back of them. The phone is configured so that both the PC and the phone's traffic are untagged. Therefore when both MAC addresses hit a hybrid port they are MAC-authenticated in the same way as two independent devices on a unmanaged switch. 

    An example config below with the only static assignment being the vlan they drop into if they fail authentication.

    interface GigabitEthernet1/0/1
     undo enable snmp trap updown
     port link-type hybrid
     undo port hybrid vlan 1
     port hybrid vlan 31 untagged
     port hybrid pvid vlan 31
     mac-vlan enable
     stp edged-port
     poe enable
     undo dot1x handshake
     dot1x mandatory-domain
     dot1x max-user 80
     undo dot1x multicast-trigger
     dot1x re-authenticate
     dot1x auth-fail vlan 31
     dot1x critical vlan 31
     mac-authentication max-user 80
     mac-authentication domain mac_domain
     mac-authentication guest-vlan 31
     mac-authentication critical vlan 31
     undo mac-authentication offline-detect enable
     port-security port-mode userlogin-secure-or-mac-ext
     port-security mac-move bypass-vlan-check
     loopback-detection enable vlan 1 to 4094
     loopback-detection action shutdown
     dhcp snooping binding record
     dhcp snooping check request-message
     dhcp snooping check mac-address
     dhcp snooping information enable
     dhcp snooping information strategy keep

    Results in the following LLDP output:

    LLDP tlv-config of port 1[GigabitEthernet1/0/1]:
    LLDP agent nearest-bridge:
    NAME                              STATUS    DEFAULT
    Basic optional TLV:
     Port Description TLV             YES       YES
     System Name TLV                  YES       YES
     System Description TLV           YES       YES
     System Capabilities TLV          YES       YES
     Management Address TLV           YES       YES
    IEEE 802.1 extend TLV:
     Port VLAN ID TLV                 YES       YES
     Port And Protocol VLAN ID TLV    NO        NO
     VLAN Name TLV                    NO        NO
     DCBX TLV                         NO        NO
     EVB TLV                          NO        NO
     Link Aggregation TLV             YES       YES
     Management VID TLV               NO        NO
    IEEE 802.3 extend TLV:
     MAC-Physic TLV                   YES       YES
     Power via MDI TLV                YES       YES
     Maximum Frame Size TLV           YES       YES
     Link Aggregation TLV             NO        NO
    LLDP-MED extend TLV:
     Capabilities TLV                 YES       YES
     Network Policy TLV               YES       YES
     Location Identification TLV      NO        NO
     Extended Power via MDI TLV       YES       YES
     Inventory TLV                    YES       YES

    If the switch needs to know which VLAN to tag and which VLAN to untag on the edge port then I guess the LLDP-MED is required, or static assignment.

  • 3.  RE: 5130 EI and 5140 EI - Voice Vlan

    Posted Nov 29, 2023 03:08 AM

    In my case the ip phone will be mac authenticated where as the user will be authenticated through dot1x and data vlan be assigned according to it. At the same time i want to assign ip phone to a different Vlan, i dont really need tagging. I just need to assign Ip phone to its respective Vlan. Is it doable?

  • 4.  RE: 5130 EI and 5140 EI - Voice Vlan

    Posted Nov 29, 2023 03:14 AM

    Hi, yes this is what we do. Any MAC address on the port can be MAC or 802.1x authenticated. So long as all frames hit the interface untagged.