How to configure VOIP vlan with tunnel node ports in MAS
This Article will help in configuring the VOIP vlan with tunnel node setup with MAS and controller.
When the switch port is a tunneled-port, all traffic from IP phone and user traffic gets tunneled to the controller. So, LLDP-MED and voip-profile will not be active on that port. The traffic from both IP phone and user will be untagged. The roles assigned to the IP phone and data-user on the controller define the vlan which will be assigned to them.
On many occasions, network administrators would not want the IP phone to go through authentication. To achieve the desired effect :
Apply a switching-profile on the tunneled-node port so that the port has untagged membership for data vlan. On the wired aaa profile, apply a user-derivation-rule so that phone traffic (matching the OUI)gets Voice vlan.
For instance, Let us have data vlan as 65 and VoIP vlan as 250. We want the data users to be authenticated via Captive portal and phone traffic to be in vlan 250 :
On S3500 :
interface-profile switching-profile "tn-profile"
interface gigabitethernet "5/0/2"
On Controller :
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6
ip access-list session ACL_For_Phone
any any any permit
access-list session ACL_For_Data
access-list session ACL_For_Phone
aaa authentication captive-portal "TNCP"
aaa server-group "TNGRP"
aaa derivation-rules user TNUDR
set role condition macaddr starts-with "00:1b:54" set-value TNPhone
aaa profile "TNAAA"
aaa authentication wired