Configuring Security, Quality, and Network Features

This chapter describes how to configure security, voice quality, and optional network features for the phone:

Setting Security Features

The security features ensure that calls are secure and authenticated.

Configuring Domain and Internet Settings

Configuring Restricted Access Domains

If you enter domains, the Cisco IP phones respond to SIP messages only from the identified servers.

To configure restricted access domains, navigate to Admin Login > advanced > Voice > System. Under System Configuration in the Restricted Access Domains field. Enter fully-qualified domain names (FQDNs) for each SIP server you want the phone to respond to. Separate FQDNs with semicolons. For example, voiceip.com;voiceip1.com.

Configuring DHCP, Static IP, or PPPoE Connection Type

You can set the connection type to one of the following:

  • Dynamic Host Configuration Protocol (DHCP) receives an IP address from the network DHCP server. Cisco SPA IP phones typically operate in a network where a DHCP server assigns the devices their IP addresses. Because IP addresses are a limited resource, the DHCP server periodically renews the device lease on the IP address. If a phone loses its IP address for any reason, or if some other device on the network is assigned its IP address, the communication between the SIP proxy and the phone is either severed or degraded. Whenever an expected SIP response is not received within a programmable amount of time after the corresponding SIP command is sent, the DHCP Timeout on Renewal parameter causes the device to request a renewal of its IP address. If the DHCP server returns the IP address that it originally assigned to the phone, the DHCP assignment is presumed to be operating correctly. Otherwise, the phone resets to try to fix the issue.
  • Static IP—A static IP address for the phone.
  • PPPoE—Point-to-Point Protocol over Ethernet (PPPoE) connects users on an Ethernet network to the Internet through a common broadband medium, such as DSL line, wireless device, or cable modem. All users on an Ethernet share a common connection, so the Ethernet principles supporting multiple users in a LAN combine with the principles of PPP that apply to serial connections.

To set the connection type, navigate to Admin Login > advanced > Voice > System. Under Internet Connection Type choose the Connection Type:

  • Dynamic Host Configuration Protocol (DHCP)
  • Static IP, and configure the following:

Static IP Address of the phone.

Netmask of the phone.

Gateway IP address

If you are configuring a Cisco SPA525G or Cisco SPA525G2, also configure:

LAN MTU—LAN Maximum Transmission Unit size. Default value: 1500.

Duplex Mode—Choose the speed/duplex for the phone Ethernet ports: Auto, 10MBps/Duplex, 10MBps/Half, 100Mbps/Duplex, 100MBps/Half

  • PPPoE (PPPoE is only available on the Cisco SPA525G or Cisco SPA525G2), and configure the following:

PPPoE Login Name—The account name assigned by the ISP for connecting on a PPPoE link.

PPPoE Login Password—The password assigned by the ISP.

PPPoE Service Name—The service name assigned by the ISP.

The Cisco SPA301 or Cisco SPA501G can be configured by using the IVR. See Using IVR on IP Phones Without Screens.

Configuring Power Settings

The Power-over-Ethernet (PoE) requirements requested of a PoE switch by the phone can be Normal (default) or Maximum.

When one or more attendant consoles are attached to the phone, use Maximum to advertise to a PoE switch that the phone might consume up to 12 W.
When no attendant consoles are attached, use Normal to advertise a required power budget of 6.5 Watts.

To configure the (PoE) requirements, navigate to Admin Login > advanced >
Voice > System. Under Power Setting select Normal or Maximum.

DHCP Option Support

The table shows the DHCP options supported on SPA IP phones:

 

Network Standard

DHCP option 1

Subnet mask

DHCP option 2

Time Offset

DHCP option 3

Router

DHCP option 6

Domain name server

DHCP option 15

Domain name

DHCP option 41

IP address lease time

DHCP option 42

NTP Server

DHCP option 43

Vendor Specific Information

DHCP option 60

Vendor class identifier

DHCP option 66

TFTP server name

DHCP option 125

Vendor-Identifying Vendor-Specific Information

DHCP option 150

TFTP server

DHCP option 158

 

DHCP option 159

 

DHCP option 160

 

Challenging SIP Initial INVITE and MWI Messages

The SIP INVITE (initial) and Message Waiting Indication (MWI) messages in a session can be challenged by the endpoint. The challenge restricts the SIP servers that are permitted to interact with the devices on a service provider network. This significantly increases the security of the VoIP network by preventing malicious attacks against the device.

To configure SIP INVITE challenge, navigate to Admin Login > advanced > Voice > Ext_n. Under SIP Settings in the Auth INVITE field, choose yes.

Encrypting Signaling with SIP Over TLS

Transport Layer Security (TLS) is a standard protocol for securing and authenticating communications over the Internet. SIP Over TLS encrypts the SIP messages between the service provider SIP proxy and the end user. SIP Over TLS encrypts only the signaling messages, not the media. A protocol such as Secure Real-Time Transport Protocol (SRTP) can be used to encrypt voice packets (see Securing Voice Traffic with SRTP).

TLS has two layers:

  • TLS Record Protocol--layered on a reliable transport protocol, such as SIP or TCH, it ensures that the connection is private by using symmetric data encryption and it ensures that the connection is reliable.
  • TLS Handshake Protocol--authenticates the server and client, and negotiates the encryption algorithm and cryptographic keys before the application protocol transmits or receives data.

Cisco SPA IP phones use UDP as a standard for SIP transport, but they also support SIP over TLS for added security.

To enable TLS for the phone, navigate to Admin Login > advanced > Voice > Ext_n. Under SIP Settings, select TLS from the SIP Transport list.

Securing Voice Traffic with SRTP

Secure Real-Time Transport Protocol (SRTP) is a secure protocol for transporting real-time data over networks. It provides media encryption to ensure that media streams between devices are secure and that only the intended devices receive and read the data. Cisco SPA IP phones use SRTP to securely send and receive voice traffic to and from phones and gateways that support SRTP. (Security Description (RFC-4568) is supported.)

When a call is secured with SRTP, the voice conversation is encrypted so that others cannot eavesdrop on the conversation. To enable this feature, Cisco SPA IP phones must have a mini-certificate installed.

Defaults to prefer to use encrypted media (voice codecs). Audio packets in both directions of outbound calls are encrypted by using SRTP.

Configuring Voice Codecs

A codec resource is considered allocated if it has been included in the SDP codec list of an active call, even though it eventually might not be chosen for the connection. If the G.729a codec is enabled and included in the codec list, that resource is tied up until the end of the call whether or not the call actually uses G.729a. If the G729a resource is already allocated (and since only one G.729a resource is allowed per IP phone), no other low-bit-rate codec can be allocated for subsequent calls. The only choices are G711a and G711u.

Since two G.723.1/G.726 resources are available per IP phone, you should disable the use of G.729a to guarantee support for two simultaneous G.723/G.726 codecs.

Negotiation of the optimal voice codec sometimes depends on the ability of the Cisco SPA IP phones to match a codec name with the far-end device or gateway codec name. Cisco SPA IP phones allow the network administrator to individually name the various codecs that are supported such that the correct codec successfully negotiates with the far-end equipment.

Note that Cisco SPA IP phones support voice codec priority. You can select up to three preferred codecs. The administrator can select the low-bit-rate codec used for each line. G.711a and G.711u are always enabled.

To configure the voice codecs on each extension, navigate to Admin Login > advanced > Voice > Ext_n. Under Audio Configuration, configure the following parameters:

 

Parameter
Description

Preferred Codec

Preferred codec for all calls. (The actual codec used in a call still depends on the outcome of the codec negotiation protocol.) Select one of the following:

  • G711u (all models)
  • G711a (all models)
  • G726-16 (not supported on Cisco WIP310, Cisco SPA525G or Cisco SPA525G2)
  • G726-24 (not supported on Cisco WIP310, Cisco SPA525G or Cisco SPA525G2)
  • G726-32 (all models)
  • G726-40 (not supported on Cisco WIP310, Cisco SPA525G or Cisco SPA525G2)
  • G729a (all models)
  • G723 (not supported on Cisco WIP310, Cisco SPA525G or Cisco SPA525G2)
  • G722 (not supported on Cisco WIP310)

Defaults to G711u.

Use Pref Codec Only

To use only the preferred codecs for all calls, select yes. (The call fails if the far end does not support these codecs.) Otherwise, select no. Defaults to no.

Second Preferred Codec

If the first codec fails, this codec is tried. Defaults to unspecified.

Not applicable to the Cisco WIP310.

Third Preferred Codec

If the second codec fails, this codec is tried. Defaults to unspecified.

Not applicable to the Cisco WIP310.

G729a Enable

To enable the use of the G.729a codec at 8 kbps, select yes. Otherwise, select no. Defaults to yes.

G722 Enable

Enables use of the G.722 codec. Defaults to yes.

Not applicable to the Cisco WIP310.

G723 Enable

To enable the use of the G.723a codec at 6.3 kbps, select yes. Otherwise, select no. Defaults to yes.

Not applicable to the Cisco WIP310, Cisco SPA300 Series, Cisco SPA525G or Cisco SPA525G2.

G726-16 Enable

To enable the use of the G.726 codec at 16 kbps, select yes. Otherwise, select no. Defaults to yes.

Not applicable to the Cisco WIP310, Cisco SPA525G or Cisco SPA525G2.

G726-24 Enable

To enable the use of the G.726 codec at 24 kbps, select yes. Otherwise, select no. Defaults to yes.

Not applicable to the Cisco WIP310, Cisco SPA525G or Cisco SPA525G2.

G726-32 Enable

To enable the use of the G.726 codec at 32 kbps, select yes. Otherwise, select no. Defaults to yes.

G726-40 Enable

To enable the use of the G.726 codec at 40 kbps, select yes. Otherwise, select no. Defaults to yes.

Not applicable to the Cisco WIP310, Cisco SPA525G or Cisco SPA525G2.

Release Unused Codec

To enable the release of codecs not used after codec negotiation on the first call so that other codecs can be used for the second line, select yes. Otherwise, select no. Defaults to yes.

DTMF Process AVT

Processes RTP DTMF events. When yes DTMF is relayed by using Named Telephony Events (NTEs) in Real-Time Transport Protocol (RTP) packets (RFC-2833, RTP Payload for DTMF Digits, Telephony Tones and Telephony Signals). Defaults to yes.

Silence Supp Enable

To enable silence suppression so that silent audio frames are not transmitted, select yes. Otherwise, select no. Defaults to no.

DTMF Tx Method

The method for transmitting DTMF signals to the far end. The options are: InBand, audio video transport (AVT), INFO, Auto, InBand+INFO, or AVT+INFO.

  • InBand sends DTMF by using the audio path.
  • AVT sends DTMF as AVT events.
  • INFO uses the SIP INFO method.
  • Auto uses InBand or AVT based on the outcome of codec negotiation.

Defaults to Auto.

DTMF Tx Volume for AVT Packet

Allows you to manually configure the AVT Tx volume. The value of this parameter is inserted into the volume field of the payload in the AVT packet.

Values are based on the AVT specification as described in RFC-2833, RTP Payload for DTMF Digits, Telephony Tones and Telephony Signals. According to RFC-2833, the volume field is represented by 6 bits, and describes the power level of the tone, expressed in dBm0 after dropping the sign.

Valid range for this parameter is 0 to 63. If the provisioned value is negative, it is negated first. Thereafter, if the value is beyond the high limit of 63, it is clipped to 63.

The default value is 0 and the recommended setting. However, some gateways do not accept this volume setting. If the gateway does not accept a value of 0, the DTMF tone is not relayed to the remote end. As a workaround for the phone to interoperate with those gateways, you can change the value to a value greater than 0.

Use Remote Pref Codec

To set the phone to communicate by using the remote phone-preferred codec, select yes. If set to no, the Cisco IP phone communicates by using its own preferred codec (as indicated in the Preferred Codec field and in the SDP by order of preferences). The default vale is no.

Codec Negotiation

When set to Default, the Cisco IP phone responds to an Invite with a 200 OK response advertising the preferred codec only. When set to List All, the Cisco IP phone responds listing all the codecs that the phone supports. The default value is Default.

Setting Optional Network Servers

Optional network servers provide resources such as DNS lookup, network time, logging, and device discovery.

To configure the (PoE) requirements, navigate to Admin Login > advanced > Voice > System. Under Optional Network Configuration configure the following fields:

Manual—Enter the IP address of the DNS server manually; do not use the DHCP-supplied DNS table.

Manual/DHCP—Look for a manual entry of the IP address of the DNS server. Use the DHCP-supplied DNS table if it is not found.

DHCP/Manual—Use the DHCP-supplied DNS table. If not found, look for a manual entry of the IP address of the DNS server.

DNS Query Mode—Parallel or Sequential DNS query. A parallel DNS query sends the same DNS lookup request to all of the DNS servers at the same time. The first incoming reply is accepted by the phone. A sequential query polls the DNS servers in sequence. Defaults to parallel. Not available on Cisco WIP310, Cisco SPA525G or Cisco SPA525G2.

Syslog Server—Syslog server name and port for logging system information and critical events. If both Debug Server and Syslog Server are specified, Syslog messages are also logged to the Debug Server.

Debug Server—Debug server name and port for logging debug information. The level of detailed output depends on the Debug Level.

Debug Level—The debug level ranges from 0 to 3. The higher the level, the more debug information is generated. Zero (0) means no debug information is generated. To log SIP messages, you must set the Debug Level to at least 2. Defaults to 0.

NTP Enable—Enables the Network Time Protocol (NTP). Applies to the Cisco SPA525G or Cisco SPA525G2 only.

Primary NTP Server—IP address or name of the primary NTP server used to synchronize its time. Defaults to blank.

Secondary NTP Server—IP address or name of the secondary NTP server used to synchronize its time. Defaults to blank.

Enable Bonjour—Bonjour is used by Office Manager and Cisco Configuration Assistant to discover the Cisco IP phones. Choose yes to enable or no to disable. Applies to the Cisco SPA525G or Cisco SPA525G2 only.

Configuring VLAN Settings

If you use a VLAN, your IP phone voice packets are tagged with the VLAN ID. (This section does not apply to the Cisco WIP310.)

Configuring Cisco Discovery Protocol (CDP)

CDP is negotiation-based and determines which VLAN the IP phone resides in. If you are using a Cisco switch, Cisco discovery protocol (CDP) is available and enabled by default. CDP:

  • Obtains the protocol addresses of neighboring devices and discovers the platform of those devices.
  • Shows information about the interfaces your router uses.
  • Is media and protocol-independent.

If you are using a VLAN without CDP, you must enter a VLAN ID for the IP phone.

Configuring LLDP-MED

The Cisco SPA300 Series and Cisco SPA500 Series IP phones support Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) for deployment with Cisco or other third-party network connectivity devices that use a Layer 2 auto-discovery mechanism. Implementation of LLDP-MED is done in accordance with IEEE 802.1AB (LLDP) Specification of May 2005, and ANSI TIA-1057 of April 2006.

Cisco SPA IP phones operate as LLDP-MED Media End Point Class III devices with direct LLDP-MED links to Network Connectivity Devices, according to the Media Endpoint Discovery Reference Model and Definition (ANSI TIA-1057 Section 6).

Cisco SPA IP phones support only the following limited set of TLVs as LLDP-MED Media Endpoint device class III:

  • Chassis ID TLV
  • Port ID TLV
  • Time to live TLV
  • Port Description TLV
  • System Name TLV
  • System Capabilities TLV
  • IEEE 802.3 MAC/PHY Configuration/Status TLV (for wired network only)
  • LLDP-MED Capabilities TLV
  • LLDP-MED Network Policy TLV (for application type=Voice only)
  • LLDP-MED Extended Power-Via-MDI TLV (for wired network only)
  • LLDP-MED Firmware Revision TLV
  • End of LLDPDU TLV

The outgoing LLDPDU contains all the above TLVs when if applicable. For the incoming LLDPDU, the LLDPDU is discarded if any of the following TLVs are missing. All other TLVs are not validated and ignored.

  • Chassis ID TLV
  • Port ID TLV
  • Time to live TLV
  • LLDP-MED Capabilities TLV
  • LLDP-MED Network Policy TLV (for application type=Voice only)
  • End of LLDPDU TLV

The phone sends out the shutdown LLDPDU if applicable. The LLDPDU frame contains the following TLVs:

  • Chassis ID TLV
  • Port ID TLV
  • Time to live TLV
  • End of LLDPDU TLV

There are some restrictions in the implementation of LLDP-MED on the Cisco IP Phones:

  • Storage and retrieval of neighbor information is not supported.
  • SNMP and corresponding MIBs are not supported.
  • Recording and retrieval of statistical counters are not supported.
  • There is no full validation of all TLVs; TLVs that do not apply to the phones are ignored.
  • Protocol state machines as stated in the standards are only used for reference.

TLV Information

These sections provide the TLV information.

Chassis ID TLV

For the outgoing LLDPDU, the TLV supports sub-type=5 (Network Address). When IP address is known, the value of Chassis ID is an octet of the INAN address family number followed by the octet string for the IPv4 address used for voice communication. If the IP address is unknown, the value for Chassis ID is 0.0.0.0. The only INAN address family supported is IPv4. Currently, IPv6 address for the Chassis ID is not supported. For the incoming LLDPDU, the Chassis ID is treated as an opaque value to form MSAP identifier. The value is not validated against its sub-type. The Chassis ID TLV is mandatory as the first TLV. Only one Chassis ID TLV is allowed for the outgoing and incoming LLDPDUs.

Port ID TLV

For the outgoing LLDPDU, the TLV supports sub-type=3 (MAC address). The 6 octet MAC address for the Ethernet port is used for the value of Port ID in wired or wireless mode. For the incoming LLDPDU, the Port ID TLV is treated as an opaque value to form the MSAP identifier. The value is not validated against its sub-type. The Port ID TLV is mandatory as the second TLV. Only one Port ID TLV is allowed for the outgoing and incoming LLDPDUs.

Time to Live TLV

For the outgoing LLDPDU, the Time to live TTL value is 180 seconds. This is different from 120 seconds as recommended by the standard. For the shutdown LLDPDU, the TTL value is always 0. The Time to Live TLV is mandatory as the third TLV. Only one Time to Live TLV is allowed for the outgoing and incoming LLDPDUs.

End of LLDPDU TLV

The value is 2-octet, all zero. This TLV is mandatory and only one is allowed for the outgoing and incoming LLDPDUs.

Port Description TLV

For the outgoing LLDPDU, in the Port Description TLV, the value for the port description is the same as “Port ID TLV” for CDP. The incoming LLDPDU, the Port Description TLV, is ignored and not validated. Only one Port Description TLV is allowed for outgoing and incoming LLDPDUs.

System Name TLV

For the outgoing LLDPDU, in the System Name TLV, the value is the same as ‘Platform TLV” for CDP. For the Cisco SPA525G2, the name is “SPA525G2.” The incoming LLDPDU, the System Name TLV, is ignored and not validated. Only one System Name TLV is allowed for the outgoing and incoming LLDPDUs.

System Capabilities TLV

For the outgoing LLDPDU, in the System Capabilities TLV, the bit values for the 2 octet system capabilities field should be set for Bit 2 (Bridge) and Bit 5 (Phone) for a phone with a PC port. If the phone does not have a PC port, only Bit 5 should be set. The same system capability value should be set for the enabled capability field. For the incoming LLDPDU, the System Capabilities TLV is ignored. The TLV is not validated semantically against the MED device type. The System Capabilities TLV is mandatory for outgoing LLDPDUs. Only one System Capabilities TLV is allowed.

IEEE 802.3 MAC/PHY Configuration/Status TLV

The TLV is not for auto-negotiation, but for troubleshooting purposes. For the incoming LLDPDU, the TLV is ignored and not validated. For the outgoing LLDPDU, for the TLV, the octet value auto-negotiation support/status should be:

  • Bit 0—Set to 1 to indicate the auto-negotiation support feature is supported.
  • Bit 1—Set to 1 to indicate auto-negotiation status is enabled.
  • Bit 2-7—Set to 0.

The bit values for the 2 octets PMD auto-negotiation advertised capability field should be set to:

  • Bit 13—10BASE-T half duplex mode
  • Bit 14—10BASE-T full duplex mode
  • Bit 11—100BASE-TX half duplex mode
  • Bit 10—100BASE-TX full duplex mode
  • Bit 15—Unknown

Bit 10, 11, 13 and 14 should be set.

The value for 2 octets operational MAU type should be set to reflect the real operational MAU type:

  • 16—100BASE-TX full duplex
  • 15—100BASE-TX half duplex
  • 11—10BASE-T full duplex
  • 10—10BASE-T half duplex

For example, in most cases, the phone is set to 100BASE-TX full duplex. The value 16 should then be set. The TLV is optional for a wired network and not applicable for a wireless network. The phone will send out this TLV only when in wired mode. When the phone is not set for auto-negotiation but specific speed/duplexity, for the outgoing LLDPDU TLV, bit 1 for the octet value auto-negotiation support/status should be clear (0) to indicate auto-negotiation is disabled. The 2 octets PMD auto-negotiation advertised capability field should be set to 0x8000 to indicate unknown. The Cisco SPA525G/525G2 allows the administrator to set the switch operational mode to auto-negotiation or to a specific speed/duplexity.

LLDP-MED Capabilities TLV

For the outgoing LLDPDU, the TLV should have the device type 3 (End Point Class III) and with the following bits set for 2-octet Capability field:

 

Bit Position
Capability

0

LLDP-MED Capabilities

1

Network Policy

4

Extended Power via MDI-PD

5

Inventory

For the incoming TLV, if the LLDP-MED TLV is not present, the LLDPDU is discarded. The LLDP-MED Capabilities TLV is mandatory and only one is allowed for the outgoing and incoming LLDPDUs. Any other LLDP-MED TLVs will be ignored if they present before the LLDP-MED Capabilities TLV.

Network Policy TLV

Outgoing LLDPDU —The phone will send out only one Network Policy TLV with the Application Type Value set to 1 (Voice). Before the VLAN or DSCP is determined, the Unknown Policy Flag (U) is set to 1. If the VLAN setting or DSCP is known, the value is set to 0. When the policy is unknown, all other values are set to 0. Before the VLAN is determined or used, the Tagged Flag (T) is set to 0. If the tagged VLAN (VLAN ID > 1) is used for the phone, the Tagged Flag (T) is set to 1. Reserved (X) is always set to 0. If the VLAN is used, the corresponding VLAN ID and L2 Priority will be set accordingly. VLAN ID valid value is range from 1-4094. However, VLAN ID=1 will never be used (limitation). If DSCP is used, the value range from 0-63 is set accordingly.

Incoming LLDPDU —Multiple Network Policy TLVs for different application types are allowed. The phone will only support and interpret the TLV with the application type=1 (Voice). TLVs for other application types are ignored and not validated.

LLDP-MED Extended Power-Via-MDI TLV

In the TLV for the outgoing LLDPDU, the binary value for Power Type is set to “0 1” to indicate the power type for phone is PD Device. The Power source for the phone is set “PSE and local” with binary value “1 1”. The Power Priority is set to binary “0 0 0 0” to indicate unknown priority while the Power Value is set to maximum power value based on phone type:

 

Phone Type
Power Value

Cisco SPA525G or Cisco SPA525G2

125

Cisco SPA500 Series

120

Cisco SPA300 Series

100

For the incoming LLDPDU, the TLV is ignored and not validated. Only one TLV is allowed in the outgoing and incoming LLDPDUs. The phone will send out the TLV for wired network only.

The LLDP-MED standard was originally drafted in the context of Ethernet. Discussion is ongoing for LLDP-MED for Wireless Networks. Refer to ANSI-TIA 1057, Annex C, C.3 Applicable TLV for VoWLAN, table 24. It is recommended that the TLV is not applicable in the context of the wireless network. This TLV is targeted for use in the context of PoE and Ethernet. The TLV, if added, will not provide any value for network management or power policy adjustment at the switch.

LLDP-MED Inventory Management TLV

This TLV is optional for Device Class III. For the outgoing LLDPDU, we support only Firmware Revision TLV. The value for the firmware revision is the firmware version. For the incoming LLDPDU, the TLVs are all ignored and not validated. Only one Firmware Revision TLV is allowed for the outgoing and incoming LLDPDUs.

Final Network Policy Resolution and QoS For the Phone

The following sections describe network policy and QoS for the IP phones.

Special VLANs

VLAN=0, VLAN=1 and VLAN=4095 are treated the same way as an untagged VLAN. As the VLAN is untagged, CoS is not applicable.

Default QoS for SIP Mode

If there is no network policy from CDP or LLDP-MED, the default network policy is used. CoS is based on configuration for the specific extension. It is applicable only if the manual VLAN is enabled and manual VLAN ID is not equal to 0, 1, or 4095. ToS is based on configuration for the specific extension.

Default QoS for SPCP Mode

If there is no network policy from CDP or LLDP-MED, the default network policy is used. CoS is based on a pre-defined value of 5. It is applicable only if the manual VLAN is enabled and manual VLAN ID is not equal to 0, 1, or 4095. ToS is based on precedence value from the StartMediaTransmission Message from the Unified Communications 500 Series for the Cisco SPA525G/525G2. However, ToS is based on the value specified for the specific extension in the web administration interface for the Cisco SPA50X IP phone.

QoS Resolution for CDP

If there is a valid network policy from CDP:

  • If the VLAN=0, 1 or 4095, the VLAN will not be set, or the VLAN is untagged. CoS is not applicable, but DSCP is applicable. ToS is based on the default as previously described.
  • If the VLAN > 1 and VLAN< 4095, the VLAN is set accordingly. CoS and ToS are based on the default as previously described. DSCP is applicable.
  • For the Cisco SPA525G/525G2, when the VLAN is changed, the user sees the voice component refreshed when the IP address is changed. For the Cisco SPA50X, the phone reboots and restarts the fast start sequence.

QoS Resolution for LLDP-MED

If CoS is applicable and if CoS=0, the default will be used for the specific extension as previously described. But the value shown on L2 Priority for TLV for outgoing LLDPDU is based on value used for extension 1. If CoS is applicable and if CoS != 0, CoS will be used for all extensions.

If DSCP (mapped to ToS) is applicable and if DSCP=0, the default will be used for the specific extension as previously described. But the value show on DSCP for TLV for outgoing LLDPDU is based on value used for the extension 1. If DSCP is applicable and if DSCP != 0, DSCP will be used for all extensions.

If the VLAN > 1 and VLAN < 4095, the VLAN is set accordingly. CoS and ToS are based on the default as previously described. DSCP is applicable.

If there is a valid network policy for voice application from LLDP-MED PDU and if the tagged flag is set, the VLAN, L2 Priority (CoS) and DSCP (mapped to ToS) are all applicable.

If there is a valid network policy for voice application from LLDP-MED PDU and if the tagged flag is not set, only the DPSC (mapped to ToS) is applicable.

For the Cisco SPA525G/525G2, when the VLAN is changed, the user sees the voice component refreshed when IP address is changed. For the Cisco SPA50X, the phone reboots and restarts the fast start sequence.

Co-Existence with CDP

If both CDP and LLDP-MED are enabled, the network policy for the VLAN is determined by the last policy set or changed with either one of the discovery modes. If both LLDP-MED and CDP are enabled, during startup, the phone sends both CDP and LLDP-MED PDUs at the same time.

Inconsistent configuration and behavior for network connectivity devices for CDP and LLDP-MED modes could result in an oscillating rebooting behavior for the phone due to switching to different VLANs.

If the VLAN is not set via CDP and LLDP-MED, the VLAN ID that is configured manually is used. If the VLAN ID is not configured manually, no VLAN will be supported. DSCP is used and the network policy is determined by LLDP-MED if applicable.

Wireless LAN Environments

Network policy for the VLAN feature is not supported for wireless networks. The Wireless AP or Wireless router must be enabled for LLDP-MED as the Network Connectivity Device. The DSCP portion for network policy from Wireless AP/Router will be supported if enabled.

LLDP-MED and Multiple Network Devices

If the same application type is used for network policy but different Layer 2 or Layer 3 QoS Network policies are received by the phones from multiple network connectivity devices, the last valid network policy is honored. To ensure deterministic and consistent of Network Policy, multiple network connectivity devices should not send out conflicting network policies for the same application type.

LLDP-MED and IEEE 802.X

The phones do not support IEEE 802.X and will not work in a 802.1X wired environment. However, IEEE 802.1X or Spanning Tree Protocols on network devices could result in delay of fast start response from switches.

Configuring the VLAN Settings

To configure VLAN settings, navigate to Admin Login > advanced > Voice > System. Under VLAN Settings, configure the following parameters:

 

Parameter
Description

Enable VLAN

Choose Yes to enable VLAN. Choose no to disable.

VLAN ID

If you use a VLAN without Cisco Discovery Protocol (CDP) (VLAN enabled and CDP disabled), enter a VLAN ID for the IP phone. Note that only voice packets are tagged with the VLAN ID. Do not use 1 for the VLAN ID.

PC Port VLAN Highest Priority

Choose No Limit, or 0 - 7 (default 0). The highest priority is 7. The priority applied to all frames, tagged and untagged. The phone modifies the frame priority only if the incoming frame priority is higher than this value.

Enable PC Port VLAN Tagging

Enables VLAN and priority tagging on the phone data port (802.1p/q). This feature facilities tagging of the VLAN ID (802.1Q) and priority bits (802.1p) of the traffic coming from the PC port of the IP phone.

Choose Yes to enable the tagging algorithm. Defaults to No.

PC Port VLAN ID

The phone tags all of the untagged frames coming from the PC. (It does not tag frames with existing tags). Ranges from 0 to 4095. Defaults to 0.

Enable CDP

Enable CDP only if you are using a switch that has CDP. CDP is negotiation-based and determines on which VLAN the IP phone resides.

Enable LLDP-MED

Choose yes to enable LLDP-MED for the phone to advertise itself to devices that use that discovery protocol. (By default, this setting is enabled.)

When the LLDP-MED feature is enabled, after the phone has initialized and Layer 2 connectivity is established, the phone sends out LLDP-MED PDU frames. If the phone receives no acknowledgment, the manually configured VLAN or default VLAN is used if applicable. If CDP is used concurrently, a waiting period of 6 seconds is used. The waiting period increases the overall startup time for the phone.

Network Startup Delay

Enter the delay in seconds for the switch to get to the forwarding state before the phone sends out the first LLDP-MED packet. The default delay is 3 seconds. For configuration of some switches, it might be necessary to increase this value to a higher value for LLDP-MED to work. Configuring a delay can be important for networks that use Spanning Tree Protocol.

Configuring SSL VPN on the Cisco SPA525G or Cisco SPA525G2

The Cisco SPA525G or Cisco SPA525G2 can be used in a virtual private network (VPN) to allow users secure access to the office phone network from remote locations or to connect the Internet and use VPN to access the company phone network. This feature works on the Cisco SPA525G or Cisco SPA525G2 using either SIP or SPCP.

The phone works with the Cisco AnyConnect VPN client and the following VPN devices:

  • Cisco 500 Series Secure Router
  • Cisco 5500 Series Adaptive Security Appliance
  • Cisco Unified Communications 520 Series

You must configure the SSL VPN device to ensure proper routing of voice data by using VLAN and QoS at the end of the SSL VPN server. The following restrictions apply:

  • HTTP proxy is not supported.
  • SSL client certificate verification is not supported.
  • CDP and VLAN tagging and QoS for the voice and PC port are not supported on the SSL VPN tunnel.

Because using VPN requires internal phone resources, performance can suffer if using memory-intensive applications or configurations on the phone when the phone is connected to the VPN. The following restrictions apply:

  • Only the G.711 Audio Codec is supported.
  • SRTP for secured audio is not supported.
  • Video monitoring is not supported.

To configure and use the Cisco SPA525G or Cisco SPA525G2 on a VPN, you must do the following:

1. Configure the VPN on the VPN server by using Cisco AnyConnect VPN client software.

2. Configure the VPN administrative settings on the IP phone by using the phone web user interface.

3. Configure the VPN user settings using the phone web user interface or on the IP phone by using the IP phone screen.

Configuring the VPN on the Security Appliance

This configuration is for example purposes. Specific configuration instructions are not presented in this document. For detailed instructions for your particular device, see the application notes in the Cisco Small Business Support Community.


Step 1 Download the Cisco AnyConnect VPN client software from Cisco.com and install it on the VPN server.

Step 2 Download a Cisco IOS version that supports this feature and install it on the VPN server.

Step 3 Configure SSL VPN on the VPN server.

Step 4 Ensure the VPN is functional and you can connect to the VPN by using the Cisco AnyConnect VPN client.


 

Configuring the VPN on the Cisco SPA525G or Cisco SPA525G2

The phone obtains its software load from a TFTP server when the phone either boots in SPCP mode (if the Connect on Bootup field on the phone is set to yes), or connects to the VPN manually (as a result of a user pressing Connect on the phone under the Network Configuration > VPN menu).

Administrator Settings

If the phone will be connecting to the VPN by using SPCP:


Step 1 Navigate to Admin Login > advanced > Voice > System.

Step 2 Under Optional Network Configuration, from the Alternate TFTP list choose yes.

Step 3 In the TFTP Server field, enter the IP address of the Cisco Unified Communications 500 Series server.

Step 4 Click Submit All Changes.


 

User Settings

Enter the user settings for the phone, using either the phone web user interface or the phone itself:


Step 1 Navigate to Admin Login > advanced > Voice > System. (Not applicable to the Cisco SPA525G or Cisco SPA525G2 in SPCP mode.)

Step 2 Under VPN Settings, enter the following:

  • In the VPN Server field, enter the IP address of the VPN server.
  • In the VPN User Name and Password fields, enter the username and password to log in to the VPN server. These were created when you set up the VPN on the server.
  • (Optional) Enter the VPN tunnel group, if required by your VPN server.
  • (Optional) To connect to the VPN when the phone is powered on, in the Connect on Bootup field, choose yes.

Step 3 Click Submit All Changes. If you did not choose yes in the Connect on Bootup field, connect to the VPN on the phone by pressing the Setup button and choosing Network Configuration > VPN > Connect.


 

To use the phone interface:


Step 1 On the phone, press the Setup button.

Step 2 Scroll to Network Configuration and press Select.

Step 3 Scroll to Web Server and ensure that it is enabled. Press the right arrow key if it is not enabled.

If the option to edit the parameter is not displayed, press **# to display the option. If the edit option still does not display, it might be set by your phone system administrator such that you cannot modify this parameter.

Step 4 Scroll to VPN and press the right arrow key.

Step 5 Under VPN server, enter the IP address of the VPN server.

Step 6 Enter the username to log in to the VPN server.

Step 7 Enter the password for the user.

Step 8 (Optional) Enter the tunnel group, if this is required by the VPN server.

Step 9 (Optional) To connect to the VPN when the phone is powered on, ensure that Connect on Bootup is enabled.

Step 10 To connect to the VPN, ensure that Connect is enabled.

Step 11 Press Save. After the VPN connection is established, a VPN icon appears in the upper right of the IP phone screen.


 

To view the VPN status, either:

  • Use the phone web user interface:

Click Admin Login and advanced. (Not applicable to the Cisco SPA525G or Cisco SPA525G2 in SPCP mode.) Click the Info tab.

  • Use the phone menu:

Press the Setup button. Scroll to Status and press Select. Scroll to VPN Status and press Select.