Critical Voice VLAN Support
The Critical Voice VLAN Support feature directs phone traffic to the configured voice VLAN of a port if the authentication server becomes unreachable.
With normal network connectivity, when an IP phone successfully authenticates on a port, the authentication server directs the phone traffic to the voice domain of the port. If the authentication server becomes unreachable, IP phones cannot authenticate the phone traffic. In multidomain authentication (MDA) mode or multiauthentication mode, you can configure the Critical Voice VLAN Support feature to direct phone traffic to the configured voice VLAN of the port. The phone is authorized as an unknown domain. Both data and voice are enabled for the phone.
Restrictions for Critical Voice VLAN Support
-
Different VLANs must be configured for voice and data.
-
The voice VLAN must be configured on a device.
-
The Critical Voice VLAN Support feature does not support standard Access Control Lists (ACLs) on the switch port.
Information About Critical Voice VLAN Support
Critical Voice VLAN Support in Multidomain Authentication Mode
If a critical voice VLAN is deployed using an interface in multidomain authentication (MDA) mode, the host mode is changed to multihost and the first phone device is installed as a static forwarding entries. Any additional phone devices are installed as dynamic forwarding entry in the Host Access Table (HAT).
Note |
|
Critical Voice VLAN Support in Multiauthentication Mode
If the critical authentication feature is deployed in multiauthentication mode, only one phone device will be allowed and a second phone trying to authorize will trigger a violation.
The show authentication sessions command displays the critical voice client data. A critically authorized voice client in multiauthentication host mode will be in the “authz success” and “authz fail” state.
Note |
If critical voice is required, then critical data should be configured too. Otherwise, the critical voice client will be displayed in the “authz fail” state while the voice VLAN will be open. |
Critical Voice VLAN Support in a Service Template
On enterprise Edge (eEdge) devices, the critical access of phones is configured by activating a critical service template when the authentication server becomes unreachable. The voice feature plug-in registers with the Enterprise Policy Manager (EPM) by using an authentication, authorization, and accounting (AAA) voice attribute, and it allows unconditional access to the voice VLAN while the AAA services are unavailable.
To enable critical voice VLAN support, the critical authentication of phones must be configured using a combination of control policy rules and a service template.
When the authentication server is unavailable and the host is unauthorized, the AAA attribute device-traffic-type is not populated. The phone is authorized as an unknown domain, and both the data and voice VLAN are enabled for this device, allowing the device to handle voice traffic.
How to Configure Critical Voice VLAN Support
Configuring a Critical Voice VLAN in a Service Template
Perform this task on a port to configure critical voice VLAN support using a service template.
SUMMARY STEPS
- enable
- configure terminal
- service-template template-name
- vlan vlan-id
- exit
- service-template template-name
- voice vlan
- exit
- class-map type control subscriber {match-all | match-any | match-none} control-class-name
- match result-type [method {dot1x | mab | webauth}] result-type
- match authorization-status {authorized | unauthorized}
- exit
- class-map type control subscriber {match-all | match-any | match-none} control-class-name
- match result-type [method {dot1x | mab | webauth}] result-type
- match authorization-status {authorized | unauthorized}
- end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
service-template template-name Example:
|
Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode. |
Step 4 |
vlan vlan-id Example:
|
Assigns a VLAN to a subscriber session. |
Step 5 |
exit Example:
|
Exits service template configuration mode and returns to global configuration mode. |
Step 6 |
service-template template-name Example:
|
Defines a template that contains a set of service policy attributes to apply to subscriber sessions and enters service template configuration mode. |
Step 7 |
voice vlan Example:
|
Assigns a critical voice VLAN to a subscriber session. |
Step 8 |
exit Example:
|
Exits service template configuration mode and returns to global configuration mode. |
Step 9 |
class-map type control subscriber {match-all | match-any | match-none} control-class-name Example:
|
Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode. |
Step 10 |
match result-type [method {dot1x | mab | webauth}] result-type Example:
|
Creates a condition that returns true based on the specified authentication result. |
Step 11 |
match authorization-status {authorized | unauthorized} Example:
|
Creates a condition that returns true based on the authorization status of a session. |
Step 12 |
exit Example:
|
Exits control class-map filter configuration mode and returns to global configuration mode. |
Step 13 |
class-map type control subscriber {match-all | match-any | match-none} control-class-name Example:
|
Creates a control class, which defines the conditions under which the actions of a control policy are executed and enters control class-map filter configuration mode. |
Step 14 |
match result-type [method {dot1x | mab | webauth}] result-type Example:
|
Creates a condition that returns true based on the specified authentication result. |
Step 15 |
match authorization-status {authorized | unauthorized} Example:
|
Creates a condition that returns true based on the authorization status of a session. |
Step 16 |
end Example:
|
Exits control class-map filter configuration mode and returns to privileged EXEC mode. |
Activating Critical Voice VLAN
Perform the following task to activate a critical voice VLAN that is configured on a service template.
SUMMARY STEPS
- enable
- configure terminal
- policy-map type control subscriber control-policy-name
- event authentication-failure [ match-all | match-first]
- priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success]
- action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}
- action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]}
- action-number authorize
- action-number pause reauthentication
- exit
- priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success]
- action-number pause reauthentication
- end
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
policy-map type control subscriber control-policy-name Example:
|
Defines a control policy for subscriber sessions and enters control policy-map event configuration mode. |
Step 4 |
event authentication-failure [ match-all | match-first] Example:
|
Specifies the type of event that triggers actions in a control policy if all authentication events are a match and enters control policy-map class configuration mode. |
Step 5 |
priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success] Example:
|
Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode. |
Step 6 |
action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]} Example:
|
Activates a control policy associated with the VLAN on a subscriber session. |
Step 7 |
action-number activate { policy type control subscriber control-policy-name | service-template template-name [aaa-list list-name] [precedence [replace-all]]} Example:
|
Activates a control policy associated with the voice VLAN on a subscriber session. |
Step 8 |
action-number authorize Example:
|
Initiates the authorization of a subscriber session. |
Step 9 |
action-number pause reauthentication Example:
|
Pauses the reauthentication process after an authentication failure. |
Step 10 |
exit Example:
|
Exits control policy-map action configuration mode and enters control policy-map class configuration mode. |
Step 11 |
priority-number class { control-class-name | always} [do-all | do-until-failure | do-until-success] Example:
|
Specifies that the control class should execute the actions in a control policy, in the specified order, until one of the actions fails, and enters control policy-map action configuration mode. |
Step 12 |
action-number pause reauthentication Example:
|
Pauses the reauthentication process after an authentication failure. |
Step 13 |
end Example:
|
Exits control policy-map action configuration mode and enters privileged EXEC mode. |
Configuration Examples for Critical Voice VLAN Support
Example: Configuring a Voice VLAN in a Service Template
Device> enable
Device# configure terminal
Device(config)# service-template CRITICAL-DATA
Device(config-service-template)# vlan 116
Device(config-service-template)# exit
Device(config)# service-template CRITICAL-VOICE
Device(config-service-template)# voice vlan
Device(config-service-template)# exit
Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-UNAUTHD-HOST
Device(config-filter-control-classmap)# match result-type aaa-timeout
Device(config-filter-control-classmap)# match authorization-status unauthorized
Device(config-filter-control-classmap)# exit
Device(config)# class-map type control subscriber match-all AAA-SVR-DOWN-AUTHD-HOST
Device(config-filter-control-classmap)# match result-type aaa-timeout
Device(config-filter-control-classmap)# match authorization-status authorized
Device(config-filter-control-classmap)# end
Example: Activating a Critical Voice VLAN on a Service Template
Device> enable
Device# configure terminal
Device(config)# policy-map type control subscriber cisco-subscriber
Device(config-event-control-policymap)# event authentication-failure match-first
Device(config-class-control-policymap)# 10 class AAA-SVR-DOWN-UNAUTHD-HOST do-until-failure
Device(config-action-control-policymap)# 10 activate service-template CRITICAL-DATA
Device(config-action-control-policymap)# 10 activate service-template CRITICAL-VOICE
Device(config-action-control-policymap)# 30 authorize
Device(config-action-control-policymap)# 40 pause reauthentication
Device(config-action-control-policymap)# exit
Device(config-class-control-policymap)# 20 class AAA-SVR-DOWN-AUTHD-HOST
Device(config-action-control-policymap)# 10 pause reauthentication
Device(config-action-control-policymap)# end
Feature Information for Critical Voice VLAN Support
This table provides release and related information for the features explained in this module.
These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.
Release |
Feature Name |
Feature Information |
---|---|---|
Cisco IOS XE Everest 16.5.1a |
Critical Voice VLAN Support |
This feature enables critical voice VLAN support, which puts phone traffic into the configured voice VLAN of a port if the authentication server becomes unreachable. |