Critical Voice VLAN Support

Critical Voice VLAN Support

Last Updated: July 17, 2012

Critical Voice VLAN Support puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.

With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server puts the phone into the voice domain. If the authentication server becomes unreachable, IP phones cannot authenticate. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN support feature to put phone traffic into the configured voice VLAN of the port.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Critical Voice VLAN Support

  • Use different VLANs for voice and data.
  • The voice VLAN must be configured on the switch.
  • ACLs are not supported on fixed Cisco Integrated Services Routers (ISRs).
  • This feature does not support standard ACLs on the switch port.

Information About Critical Voice VLAN Support

Critical Voice VLAN Support in Multidomain Authentication Mode

If critical voice VLAN is deployed using the interface in MDA mode, the host mode will be changed to multihost and the first phone device will be installed as a static forwarding entry. Any additional phone devices will install a dynamic forwarding entry in the PM HAT table.

For further information about host modes, see the "IEEE 802.1X Host Mode" section in the "Configuring IEEE 802.1X Port-Based Authentication" chapter.

Note


If the port is already authorized and reauthentication occurs, the switch puts the critical port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server.

Note


Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on a 802.1X port, the features interact as follows: if all the RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.

Critical Voice VLAN Support in Multiauthentication Mode

If the critical authentication feature is deployed in multiauthentication mode, only one phone device will be allowed and a second phone trying to authorize will trigger a violation.

The show authentication sessions CLI will display the critical voice client data. A critically authorized voice client in multiauthentication host mode will be in the "authz success" and "authc fail" state.


Note


If critical voice is required, then critical data should be configured too. Otherwise, the critical voice client will be displayed in the "authz fail" state while the voice VLAN will be open.

How to Configure Critical Voice VLAN Support

Configuring Critical Voice VLAN Support in Multidomain Authentication Mode

Perform this task on a port to configure critical voice VLAN support in multidomain authentication (MDA) mode.

Note


To configure MDA mode, see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1X Port-Based Authentication" chapter.
SUMMARY STEPS

1.    enable

2.    configure terminal

3.   interface type slot/port

4.   authentication event server dead action authorize vlan vlan-id

5.   authentication event server dead action authorize voice


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Switch> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Switch# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type slot/port


Example:

Switch(config)# interface gigabitethernet 0/1

 
Specifies the port to be configured and enters interface configuration mode.  
Step 4
authentication event server dead action authorize vlan vlan-id


Example:

Switch(config-if)# authentication event server dead action authorize vlan 40

 
Configures a critical data VLAN.
Note   This step is only required if the authentication event server dead action authorize vlan vlan-id command is not configured on the port.
 
Step 5
authentication event server dead action authorize voice


Example:

Switch(config-if)# authentication event server dead action authorize voice

 
Enables the Critical Voice VLAN feature, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.  

Configuring Critical Voice VLAN Support in Multiauthentication Mode

Perform this task to configure critical voice VLAN support in multiauthentication mode.

Note


To configure multiauthentication mode, see the "Configuring the Host Mode" section of the "Configuring IEEE 802.1X Port-Based Authentication" chapter.
SUMMARY STEPS

1.    enable

2.    configure terminal

3.   interface type slot/port

4.   authentication event server dead action reinitialize vlan vlan-id

5.   authentication event server dead action authorize voice


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Switch> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Switch# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type slot/port


Example:

Switch(config)# interface gigabitethernet 0/1

 
Specifies the port to be configured and enters interface configuration mode.  
Step 4
authentication event server dead action reinitialize vlan vlan-id


Example:

Switch(config-if)# authentication event server dead action reinitialize vlan 40

 
Configures a critical data VLAN.
Note   This step is only required if the authentication event server dead action authorize vlan critical-data-vlan-id command is not configured on the port.
 
Step 5
authentication event server dead action authorize voice


Example:

Switch(config-if)# authentication event server dead action authorize voice

 
Enables the Critical Voice VLAN support feature, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.  

Configuration Examples for Critical Voice VLAN Support

Example: Critical Voice VLAN Support in Multidomain Authentication Mode

The following example shows how to enable the Critical Voice VLAN feature in MDA host-mode:

Switch(config) interface GigabitEthernet 0/0/0
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport voice vlan 110
Switch(config-if)# no ip address
Switch(config-if)# authentication event server dead action authorize vlan 12
Switch(config-if)# authentication event server dead action authorize voice
Switch(config-if)# authentication host-mode multi-domain
Switch(config-if)# authentication port-control auto
Switch(config-if)# mab
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# end

Example: Critical Voice VLAN Support in Multiauthentication Mode

The following example shows how to enable the Critical Voice VLAN support feature in multiauthentication mode:

Switch(config) interface GigabitEthernet 0/0/0
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport voice vlan 110
Switch(config-if)# no ip address
Switch(config-if)# authentication event server dead action reinitialize vlan 12
Switch(config-if)# authentication event server dead action authorize voice
Switch(config-if)# authentication host-mode multi-auth
Switch(config-if)# authentication port-control auto
Switch(config-if)# mab
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# end

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IEEE 802.1X commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

  • Catalyst 4500 Series Switch Cisco IOS Command Reference, Release 12.2(25)SGA
  • Catalyst 3750 Switch Command Reference, Cisco IOS Release 12.2(25)SEE

Standards and RFCs

Standard/RFC Title
IEEE 802.1X

Port Based Network Access Control

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Critical Voice VLAN Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for Critical Voice VLAN Support
Feature Name Releases Feature Information

Critical Voice VLAN Support

15.2(2)T

This feature enables critical voice VLAN support, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.

Critical VLAN with Multi-auth

15.2(2)T

This feature adds support for the Critical Voice VLAN feature in multiauthentication mode.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.