Wired Intelligent Edge (Campus Switching and Routing)

Aruba Employee

AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X

Hello Airheads community


I had the opportunity to work in a PoC to demonstrate that Aruba AOS-switches fully support a Cisco telephony solution; here are the 5 tasks requested by End Customer and the results achieved (below).


I also attached the PoC-guide.pdf to this post that shows configurations made in 2930F Switch, Clearpass and CUCM, debugs, show commands, and Access Tracker.




                                              Image 1


Task No 1: Turn on Cisco phone 7960. These Cisco phones are very old (currently are EoS/EoL), they have the singularity of supporting the Cisco Pre-standard PoE and CDP (they do not support standard PoE, nor LLDP). 


Result: Aruba 2930F was able to turn on the Cisco Phone 7960, assign the voice VLAN via CDP (Image 2).

Aruba switches supports these type of phones by entering two commands:

2930F-8(config)# cdp mode pre-standard-voice

2930F-8(config)# power-over-ethernet pre-std-detect ports 1-8


                                           Image 2


Task No 2: Register Cisco Phone 7960 (SCCP) and Cisco Phone 7821 (SIP) phones to CUCM.


Result: Both phones were able to connect and register to CUCM (Image 3).

Configuring voice VLANs separates voice traffic from data traffic. You must configure the port as a tagged member of the voice VLAN.

2930F-8(config)# vlan 50
2930F-8(vlan-50)# name "Voice"
2930F-8(vlan-50)# tagged 1
2930F-8(vlan-50)# ip address
2930F-8(vlan-50)# voice
2930F-8(vlan-50)# dhcp-server
2930F-8(vlan-50)# exit


Per Cisco requirements, you may need to enable DHCP Option 150 so that in the DHCP broadcasts, phones see a list of all TFTP (CUCM) servers that are connected to the network.

2930F-8(config)#dhcp-server pool "VOICE"
2930F-8(VOICE)#default-router ""
2930F-8(VOICE)#dns-server ""
2930F-8(VOICE)#option 150 ip ""


                                          Image 3


Task No 3: Authenticate old phones that dont include a Manufacturing Installed Certificate (MIC), such as the 7960, via MAC-AUTH process, and authenticate the most recent phones, such as the 7821, via EAP-TLS using the MIC.


Result: Both phones were authenticated (Image 5). 

Import Cisco Root certificates to Clearpass in order to execute 802.1X EAP-TLS Authentication Method. 


                                           Image 4


Phones were authenticated via MAC-AUTH (7960) and 802.1X EAP-TLS (7821) and received the VOICE-ROLE: 


                                           Image 5


Task No 4: Assign differentiated network access policies: restrictive access policy to Cisco IP Phones (VOICE-ROLE) and unrestricted access to employees (EMPLOYEE-ROLE).


Result: Phones and End Users were authenticated, differentiated network access policies were assigned using roles on 2930F switch (image 6).


                                                Image 6


Task No 5: Clear the session when the device (PC) is disconnected from the Phone's switch port .


Result: If the device unplugs from behind the phone, the switch cannot rely on link state to know when to clear the session. Proxy EAPoL-Logoff enables the phone to transmit an EAPoL-Logoff message on behalf of the data device when the phone detects that an 802.1X device has unplugged from behind the phone. AOS-Switch processed the EAPoL-Logoff message and cleared the session. (image 7).



                                                 Image 7


Task No 6: Assign QoS to voice traffic: tag RTP packects.


Result: Packet capture showed RTP packets tagged with CoS 5 and DSCP 46 (Image 8).


                                                          Image 8





Aruba Employee

Re: AOS-Switch and Cisco IP Phones PoC - Testing CDP, Voice VLAN, QoS, and 802.1X

Version 16.08.0005


802.1X CR_0000250258 Symptom: User role changes to mac-auth initial role even though the user is not reachable. Scenario: When authenticating a user through 802.1X, if auth-order and auth-priority are configured as authenticator mac-based, the user role changes to mac-auth initial role even after disconnecting the user.

Search Airheads
Showing results for 
Search instead for 
Did you mean: