Wired Intelligent Edge

 View Only
Expand all | Collapse all

One MAC Address of VoIP Phone in two different VLANs

This thread has been viewed 36 times
  • 1.  One MAC Address of VoIP Phone in two different VLANs

    Posted Feb 29, 2024 04:10 PM

    Hi @all,

    we have a maybe a strange problem with our new 6200f switches in regard of VoIP phones. 

    I have configured two VLANs with ID 11(Data) and 15(Voice)

    On Port 1/1/2 is a VoIP Phone (Unify Desk Phone IP 55G) connected . The port is secured with 802.1x with auth-mode multi-domain 

    802.1x is working fine. 

    The IP Phone gets his config for the Voice VLAN over LLDP-MED

    LLPD-MED at the switch is also ok.

    But when i´m now look in the mac-address table i see the mac from the phone in VLAN11 AND in VLAN15.

     

    I´m a little bit confiused or is this a normal behaviour?

    Best regards

    Patrick



  • 2.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Feb 29, 2024 05:03 PM

    what firmware version are you running on the switch? also if you leave it for a while (~30 min) will the MAC still show in VLAN 11 ?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 02:26 AM
    Edited by p.sauerwein Mar 01, 2024 02:30 AM

    we have started with Version 10.8 and saw the problem for the first time.

    Then we updated the switch to version 10.13.1000

    The MAC is always visible. 




  • 4.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 11:44 AM

    Can you run a port mirror on that port? I suspect this phone sends traffic in both the native and voice VLAN, which I would expect during the boot, but it may be that this device also sends it regularly for whatever reason. Do you have re-authentication for your MAC Authentication? If not, the authenticated MAC during boot may stay authenticated forever, and then what you see is expected.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 01:09 PM

    Reauth is configured with the default time of 3600 sec. 

    I will try a port mirror and post the result when its done




  • 6.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 03:16 PM
    Edited by p.sauerwein Mar 01, 2024 03:20 PM

    After some mirror and wireshark sessions i can confirm, that the VoIP phone is sending every 30 sec. LLDP traffic untagged to the VLAN11.

    This is a capture in VLAN11 filtered to the MAC adress from the phone. 

    I think this is why we see the MAC address also in VLAN11

    Every other traffic comes with a VLAN tag 15 in the ethernet frame like here in VLAN15




  • 7.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 02, 2024 08:32 AM
    Hi, this makes sense. If the LLDP messages are not received by the switch for a period of time (maybe 120s) then it would default the VLAN/power assignment.
    With comware switches I see the same MAC on every vlan that is configured (at the end of a trunk port) so switches are fine with that being the case. Its good that you have confirmation of this being LLDP MED in operation.





  • 8.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 03:06 AM

    First let me start by saying what you observe isn't always the case. We have Unify desk phones with a similar switch config and don't see that.

    I suspect the phone config is the cause but I'm not an expert on Unify. The LLDP info suggests it is configured to use tagged for its own comms. But I wonder if the dot1x conflicts with this and makes it untagged. My understanding that a dot1x auth'd client will be untagged.

    show vlan port 1/1/2 confirms what is tagged and untagged but using the diag-tcpdump if available on that model would confirm what the phone is transmitting.

    Over the years using LLDP-MED seemed problematic for us so our phones are set to use untagged and LLDP-MED is disabled. Then phone comms and the device plugged into the phone use the hybrid mode just like a mini switch would. Not the right answer for everyone but for us it excluded a protocol that seemed to work a little differently with each OS that HPE bought out.




  • 9.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 04:13 AM

    I think also that is a LLDP-MED problem. 

    We configured another IP Phone without LLDP-MED and fix VLAN15 ID and here we see only one MAC in the VLANs

    Below the output of show vlan port 1/1/2




  • 10.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 10:18 AM

    Is it possible that there is a device plugged in to the secondary network port on the phone that would have a different VLAN?




  • 11.  RE: One MAC Address of VoIP Phone in two different VLANs

    Posted Mar 01, 2024 01:04 PM

    When i connect a device to the second port, it´s works perfect in VLAN11.

    Also the Phone is working. But it is in two VLANs