Restrictions for Cisco Discovery Protocol Bypass
Cisco Discovery Protocol Bypass does not support standard ACLs on the switch port.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
In Cisco Discovery Protocol Bypass mode Cisco Discovery Protocol packets are received and transmitted unchanged. Received packets are not processed. No packets are generated. In this mode, 'bump-in-the-wire' behavior is applied to Cisco Discovery Protocol packets. This is a backward compatible mode, equivalent to not having Cisco Discovery Protocol support.
Cisco Discovery Protocol Bypass does not support standard ACLs on the switch port.
When a Cisco IP Phone is plugged into a port that is configured with a Voice VLAN and single-host mode, the phone will be silently allowed onto the network by way of a feature known as Cisco Discovery Protocol Bypass. The phone (or any device) that sends the appropriate Type Length Value (TLV) in a Cisco Discovery Protocol message will be allowed access to the voice VLAN.
In Cisco Discovery Protocol Bypass mode, Cisco Disocvery Protocol packets are received and transmitted unchanged. Received packets are not processed. No packets are generated. In this mode, 'bump-in-the-wire' behaviour is applied to Cisco Discovery Protocol packets. This is a backward compatible mode, equivalent to not having Cisco Discovery Protocol support.
In Cisco Discovery Protocol Bypass mode authentication sessions are established in single and multi-host modes for IP Phones. However, if voice VLAN and 802.1x on an interface port is enabled, then Cisco Discovery Protocol Bypass is enabled when the host mode is set to single or multi-host mode.
It is possible to use the Multi-Domain Authentication (MDA) feature instead of Cisco Discovery Protocol Bypass feature as it provides better Access Control, Visibility and Authorization.
Note |
By default the host mode is set to single mode in legacy mode and multi-authentication in the edge mode. |
Cisco Discovery Protocol Enhancement for Second Port Disconnect—Allows a Cisco IP phone to send a Cisco Discovery Protocol message to the switch when a host unplugs from behind the phone. The switch is then able to clear any authenticated session for the indirectly connected host, the same as if the host had been directly connected and the switch had detected a link down event. This is supported in latest IP telephones.
Cisco Discovery Protocol Bypass provides no support for third-party phones—Cisco Discovery Protocol Bypass works only with Cisco phones.
Follow these steps to enable Cisco Discovery Protocol Bypass:
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters the global configuration mode. |
Step 3 |
interface interface-id Example:
|
Specifies a physical port, and enters interface configuration mode.
|
Step 4 |
switchport mode access Example:
|
Specifies that the interface is in access mode. |
Step 5 |
switchport access vlan vlan id Example:
|
Assigns all ports as static-access ports in the same VLAN
|
Step 6 |
switchport voice vlan vlan-id Example:
|
Instruct the Cisco IP phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP phone forwards the voice traffic with an 802.1Q priority of 5. Valid VLAN IDs are from 1 to 4094 when the enhanced software image (EI) is installed and 1 to 1001 when the standard software image is installed. Do not enter leading zeros. |
Step 7 |
authentication port-control auto Example:
|
Enables 802.1x authentication on the port. |
Step 8 |
authentication host-mode { single-host | multi-host } Example:
|
The keywords allow the following:
|
Step 9 |
dot1x pae authenticator Example:
|
Enables 802.1X authentication on the port with default parameters |
Cisco Discovery Protocol Bypass is enabled by default once ‘Authetication port-control auto’ is configured with dotx1 or MAB or if voice vlan is configured on interface along with single/multiple host mode.
This following configuration example configures Cisco Disovery Protocol Bypass when authenticating using MAB.
Device(config)# interface GigabitEthernet1/0/12
Device(config-if)# switchport mode access
Device(config-if)# switchport access vlan 10
Device(config-if)# switchport voice vlan 3
Device(config-if)# authentication port-control auto
Device(config-if)# mab
The following configuration example displays Cisco Discovery Protocol neighbours.
Device# show cdp neighbors g1/0/37 detail
Device ID: SEP24B657B038DF
Entry address(es):
Platform: Cisco IP Phone 9971, Capabilities: Host Phone Two-port Mac Relay
Interface: GigabitEthernet1/0/37, Port ID (outgoing port): Port 1
Holdtime : 157 sec
Second Port Status: Down <<<<<<<<<<
Version :
sip9971.9-1-1SR1
advertisement version: 2
Duplex: full
Power drawn: 12.804 Watts
Power request id: 57146, Power management id: 4
Power request levels are:12804 0 0 0 0
Total cdp entries displayed : 1
To disable Cisco Discovery Protocol Bypass,‘Authetication port-control auto’ needs to be removed from the interface.