- Finding Feature Information
- Restrictions for Critical Voice VLAN Support
- Information About Critical Voice VLAN Support
- How to Configure Critical Voice VLAN Support
- Configuration Examples for Critical Voice VLAN Support
- Additional References for Critical Voice VLAN Support
- Feature Information for Critical Voice VLAN Support
Critical Voice VLAN Support
The Critical Voice VLAN Support feature directs phone traffic to the configured voice VLAN of a port if the authentication server becomes unreachable.
With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server directs the phone traffic to the voice domain of the port. If the authentication server becomes unreachable, IP phones cannot authenticate the phone traffic. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN Support feature to direct phone traffic to the configured voice VLAN of the port. The phone is authorized as an unknown domain. Both data and voice are enabled for the phone.
- Finding Feature Information
- Restrictions for Critical Voice VLAN Support
- Information About Critical Voice VLAN Support
- How to Configure Critical Voice VLAN Support
- Configuration Examples for Critical Voice VLAN Support
- Additional References for Critical Voice VLAN Support
- Feature Information for Critical Voice VLAN Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Critical Voice VLAN Support
Information About Critical Voice VLAN Support
- Critical Voice VLAN Support in Multidomain Authentication Mode
- Critical Voice VLAN Support in Multiauthentication Mode
- Critical Voice VLAN Support in a Service Template
Critical Voice VLAN Support in Multidomain Authentication Mode
If a critical voice VLAN is deployed using an interface in multidomain authentication (MDA) mode, the host mode is changed to multihost and the first phone device is installed as a static forwarding entries. Any additional phone devices are installed as dynamic forwarding entry in the Host Access Table (HAT).
Note | If a critical port is already authorized and reauthentication occurs, the switch puts the port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server. |
Note | Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on a 802.1X port, the features interact as follows: if all RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN. |
Critical Voice VLAN Support in Multiauthentication Mode
If the critical authentication feature is deployed in multiauthentication mode, only one phone device will be allowed and a second phone trying to authorize will trigger a violation.
The show authentication sessions command displays the critical voice client data. A critically authorized voice client in multiauthentication host mode will be in the “authz success” and “authz fail” state.
Note | If critical voice is required, then critical data should be configured too. Otherwise, the critical voice client will be displayed in the “authz fail” state while the voice VLAN will be open. |
Critical Voice VLAN Support in a Service Template
On enterprise Edge (eEdge) devices, the critical access of phones is configured by activating a critical service template when the authentication server becomes unreachable. The voice feature plug-in registers with the Enterprise Policy Manager (EPM) by using an authentication, authorization, and accounting (AAA) voice attribute, and it allows unconditional access to the voice VLAN while the AAA services are unavailable.
To enable critical voice VLAN support, the critical authentication of phones must be configured using a combination of control policy rules and a service template.
When the authentication server is unavailable and the host is unauthorized, the AAA attribute device-traffic-type is not populated. The phone is authorized as an unknown domain, and both the data and voice VLAN are enabled for this device, allowing the device to handle voice traffic.
How to Configure Critical Voice VLAN Support
Configuring a Voice VLAN in a Service Template
Perform this task on a port to configure critical voice VLAN support using a service template.
1.
enable
2.
configure
terminal
3.
service-template
template-name
4.
vlan
vlan-id
5.
exit
6.
service-template
template-name
7.
voice
vlan
8.
exit
9.
class-map
type
control
subscriber
{match-all |
match-any |
match-none}
control-class-name
10.
match
result-type
[method
{dot1x |
mab |
webauth}]
result-type
11.
match
authorization-status
{authorized |
unauthorized}
12.
exit
13.
class-map
type
control
subscriber
{match-all |
match-any |
match-none}
control-class-name
14.
match
result-type
[method
{dot1x |
mab |
webauth}]
result-type
15.
match
authorization-status
{authorized |
unauthorized}
16.
end
DETAILED STEPS
Activating Critical Voice VLAN
Perform the following task to activate a critical voice VLAN that is configured on a service template.
1.
enable
2.
configure
terminal
3.
policy-map type control
subscriber
control-policy-name
4.
event
authentication-failure [match-all |
match-first]
5.
priority-number
class {control-class-name |
always}
[do-all |
do-until-failure |
do-until-success]
6.
action-number
activate {policy type control
subscriber
control-policy-name |
service-template
template-name [aaa-list
list-name] [precedence
[replace-all]]}
7.
action-number
activate {policy type control
subscriber
control-policy-name |
service-template
template-name [aaa-list
list-name] [precedence
[replace-all]]}
8.
action-number
authorize
9.
action-number
pause
reauthentication
10.
exit
11.
priority-number
class {control-class-name |
always}
[do-all |
do-until-failure |
do-until-success]
12.
action-number
pause
reauthentication
13.
end
DETAILED STEPS
Configuration Examples for Critical Voice VLAN Support
Example: Configuring a Voice VLAN in a Service Template
Device> enable Device# configure terminal Device(config)# service-template SERVICE-TEMPLATE Device(config-service-template)# vlan 116 Device(config-service-template)# exit Device(config)# service-template CRITICAL-VOICE Device(config-service-template)# voice vlan Device(config-service-template)# exit Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST Device(config-filter-control-classmap)# match result-type aaa-timeout Device(config-filter-control-classmap)# match authorization-status unauthorized Device(config-filter-control-classmap)# exit Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST Device(config-filter-control-classmap)# match result-type aaa-timeout Device(config-filter-control-classmap)# match authorization-status authorized Device(config-filter-control-classmap)# end
Example: Activating a Critical Voice VLAN on a Service Template
Device> enable Device# configure terminal Device(config)# policy-map type control subscriber cisco-subscriber Device(config-event-control-policymap)# event authentication-failure match-first Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure Device(config-action-control-policymap)# 10 activate service-template SERVICE-TEMPLATE Device(config-action-control-policymap)# 10 activate service-template CRITICAL-VOICE Device(config-action-control-policymap)# 30 authorize Device(config-action-control-policymap)# 40 pause reauthentication Device(config-action-control-policymap)# exit Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST Device(config-action-control-policymap)# 10 pause reauthentication Device(config-action-control-policymap)# end
Additional References for Critical Voice VLAN Support
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco Identity-Based Networking Services commands |
Cisco IOS Identity-Based Networking Services Command Reference |
Standards and RFCs
Standard/RFC |
Title |
---|---|
IEEE 802.1X |
Port based Network Access Control |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Critical Voice VLAN Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Critical Voice VLAN Support |
Cisco IOS XE Release 3.3SE |
This feature enables critical voice VLAN support, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable. The following command was added or modified: voice vlan |