Critical Voice VLAN Support

The Critical Voice VLAN Support feature directs phone traffic to the configured voice VLAN of a port if the authentication server becomes unreachable.

With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server directs the phone traffic to the voice domain of the port. If the authentication server becomes unreachable, IP phones cannot authenticate the phone traffic. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN Support feature to direct phone traffic to the configured voice VLAN of the port. The phone is authorized as an unknown domain. Both data and voice are enabled for the phone.

Critical Voice VLAN Support

The Critical Voice VLAN Support feature directs phone traffic to the configured voice VLAN of a port if the authentication server becomes unreachable.

With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server directs the phone traffic to the voice domain of the port. If the authentication server becomes unreachable, IP phones cannot authenticate the phone traffic. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN Support feature to direct phone traffic to the configured voice VLAN of the port. The phone is authorized as an unknown domain. Both data and voice are enabled for the phone.

Restrictions for Critical Voice VLAN Support

  • Different VLANs must be configured for voice and data.

  • The voice VLAN must be configured on a device.

  • The Critical Voice VLAN Support feature does not support standard Access Control Lists (ACLs) on the switch port.

Information About Critical Voice VLAN Support

Critical Voice VLAN Support in Multidomain Authentication Mode

If a critical voice VLAN is deployed using an interface in multidomain authentication (MDA) mode, the host mode is changed to multihost and the first phone device is installed as a static forwarding entries. Any additional phone devices are installed as dynamic forwarding entry in the Host Access Table (HAT).


Note


  • If a critical port is already authorized and reauthentication occurs, the switch puts the port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server.

  • Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on a 802.1X port, the features interact as follows: if all RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.


Critical Voice VLAN Support in Multiauthentication Mode

If the critical authentication feature is deployed in multiauthentication mode, only one phone device will be allowed and a second phone trying to authorize will trigger a violation.

The show authentication sessions command displays the critical voice client data. A critically authorized voice client in multiauthentication host mode will be in the “authz success” and “authz fail” state.


Note


If critical voice is required, then critical data should be configured too. Otherwise, the critical voice client will be displayed in the “authz fail” state while the voice VLAN will be open.


Critical Voice VLAN Support in a Service Template

On enterprise Edge (eEdge) devices, the critical access of phones is configured by activating a critical service template when the authentication server becomes unreachable. The voice feature plug-in registers with the Enterprise Policy Manager (EPM) by using an authentication, authorization, and accounting (AAA) voice attribute, and it allows unconditional access to the voice VLAN while the AAA services are unavailable.

To enable critical voice VLAN support, the critical authentication of phones must be configured using a combination of control policy rules and a service template.

When the authentication server is unavailable and the host is unauthorized, the AAA attribute device-traffic-type is not populated. The phone is authorized as an unknown domain, and both the data and voice VLAN are enabled for this device, allowing the device to handle voice traffic.

How to Configure Critical Voice VLAN Support

Configuring a Critical Voice VLAN in a Service Template

Perform this task on a port to configure critical voice VLAN support using a service template.

Procedure

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

service-template template-name

Example:

Device(config)# service-template CRITICAL-DATA

Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode.

Step 4

vlan vlan-id

Example:

Device(config-service-template)# vlan 116

Assigns a VLAN to a subscriber session.

Step 5

exit

Example:

Device(config-service-template)# exit

Exits service template configuration mode and returns to global configuration mode.

Step 6

service-template template-name

Example:

Device(config)# service-template CRITICAL-VOICE

Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode.

Step 7

voice vlan

Example:

Device(config-service-template)# voice vlan

Assigns a critical voice VLAN to a subscriber session.

Step 8

exit

Example:

Device(config-service-template)# exit

Exits service template configuration mode and returns to global configuration mode.

Step 9

class-map type control subscriber {match-all | match-any | match-none} control-class-name

Example:

Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST

Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode.

Step 10

match result-type [method {dot1x | mab | webauth}] result-type

Example:

Device(config-filter-control-classmap)# match result-type aaa-timeout

Creates a condition that returns true based on the specified authentication result.

Step 11

match authorization-status {authorized | unauthorized}

Example:

Device(config-filter-control-classmap)# match authorization-status unauthorized

Creates a condition that returns true based on the authorization status of a session.

Step 12

exit

Example:

Device(config-filter-control-classmap)# exit

Exits control class-map filter configuration mode and returns to global configuration mode.

Step 13

class-map type control subscriber {match-all | match-any | match-none} control-class-name

Example:

Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST

Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode.

Step 14

match result-type [method {dot1x | mab | webauth}] result-type

Example:

Device(config-filter-control-classmap)# match result-type aaa-timeout

Creates a condition that returns true based on the specified authentication result.

Step 15

match authorization-status {authorized | unauthorized}

Example:

Device(config-filter-control-classmap)# match authorization-status authorized

Creates a condition that returns true based on the authorization status of a session.

Step 16

end

Example:

Device(config-filter-control-classmap)# end

Exits control class-map filter configuration mode and returns to privileged EXEC mode.

Activating Critical Voice VLAN

Perform the following task to activate a critical voice VLAN that is configured on a service template.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

policy-map type control subscriber control-policy-name

Example:

Device(config)# policy-map type control subscriber cisco-subscriber

Defines a control policy for subscriber sessions and enters control policy-map event configuration mode.

Step 4

event authentication-failure [ match-all | match-first]

Example:

Device(config-event-control-policymap)# event authentication-failure match-first

Specifies the type of event that triggers actions in a control policy if all authentication events are a match and enters control policy-map class configuration mode.

Step 5

priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success]

Example:

Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure

Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode.

Step 6

action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}

Example:

Device(config-action-control-policymap)# 10 activate service-template CRITICAL-DATA

Activates a control policy associated with the VLAN on a subscriber session.

Step 7

action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}

Example:

Device(config-action-control-policymap)# 20 activate service-template CRITICAL-VOICE

Activates a control policy associated with the voice VLAN on a subscriber session.

Step 8

action-number authorize

Example:

Device(config-action-control-policymap)# 30 authorize

Initiates the authorization of a subscriber session.

Step 9

action-number pause reauthentication

Example:

Device(config-action-control-policymap)# 40 pause reauthentication

Pauses the reauthentication process after an authentication failure.

Step 10

exit

Example:

Device(config-action-control-policymap)# exit

Exits control policy-map action configuration mode and enters control policy-map class configuration mode.

Step 11

priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success]

Example:

Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST

Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode.

Step 12

action-number pause reauthentication

Example:

Device(config-action-control-policymap)# 10 pause reauthentication

Pauses the reauthentication process after an authentication failure.

Step 13

end

Example:

Device(config-action-control-policymap)# exit

Exits control policy-map action configuration mode and enters privileged EXEC mode.

Configuration Examples for Critical Voice VLAN Support

Example: Configuring a Voice VLAN in a Service Template

Device> enable
Device# configure terminal
Device(config)# service-template CRITICAL-DATA
Device(config-service-template)# vlan 116
Device(config-service-template)# exit
Device(config)# service-template CRITICAL-VOICE
Device(config-service-template)# voice vlan
Device(config-service-template)# exit
Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST
Device(config-filter-control-classmap)# match result-type aaa-timeout
Device(config-filter-control-classmap)# match authorization-status unauthorized
Device(config-filter-control-classmap)# exit
Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
Device(config-filter-control-classmap)# match result-type aaa-timeout
Device(config-filter-control-classmap)# match authorization-status authorized
Device(config-filter-control-classmap)# end

Example: Activating a Critical Voice VLAN on a Service Template

Device> enable
Device# configure terminal
Device(config)# policy-map type control subscriber cisco-subscriber
Device(config-event-control-policymap)# event authentication-failure match-first
Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
Device(config-action-control-policymap)# 10 activate service-template CRITICAL-DATA
Device(config-action-control-policymap)# 10 activate service-template CRITICAL-VOICE
Device(config-action-control-policymap)# 30 authorize
Device(config-action-control-policymap)# 40 pause reauthentication
Device(config-action-control-policymap)# exit
Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST
Device(config-action-control-policymap)# 10 pause reauthentication
Device(config-action-control-policymap)# end

Feature History for Critical Voice VLAN Support

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Table 1. Feature History for Critical Voice VLAN Support
Release

Feature Name

Feature Information

Cisco IOS XE Everest 16.5.1a

Critical Voice VLAN Support

This feature enables critical voice VLAN support, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable.

Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches

Cisco IOS XE Fuji 16.8.1a

Critical Voice VLAN Support

Support for this feature was introduced only on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

Cisco IOS XE Cupertino 17.7.1

Critical Voice VLAN Support

This feature was implemented on the C9500X-28C8D model.

Cisco IOS XE Dublin 17.10.1b

Critical Voice VLAN Support

This feature was implemented on the C9500X-60L4D model.

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com.