And what is the best practice / safest way to do this? Let me get into the gory details:
When you plug in a phone, there are two scenarios:
- Without any sort of Authentication/NAC: it announces itself as a phone using LLDP/CDP and the switch replies that same way (for VLAN assignment etc.).
- With Auth/NAC: the answer of the NAC counts (accept, deny, VLAN assignment), if it contains attributes indicating the client is a phone, the switch might react differently.
In the first case (no NAC):
- If the switchport carries the magic "switchport voice vlan XXX" it will send back another LLDP/CDP frame indicating the VLAN to use. The phone will tag its traffic in that VLAN.
- In essence we trust whoever claims they are a phone that they indeed are a phone. Probably there is no problem with that in the sense that the voice VLAN is isolated anyway. A hacker would probably not claim to be a phone since that would just put him into the restricted area of the network.
In the second case (NAC):
- VLAN is assigned by the NAC and "switchport voice vlan XXX" is sort of redundant/unnecessary (you might think).
- Since NAC can instruct the switch which VLAN to use for that session no further dialog (LLDP/CDP) would be necessary.
However: It does not seem that the phone connects if NAC includes Cisco-AVPair with "device-traffic-class=voice" and "switchport voice vlan XXX" is NOT configured on that port.
Which brings me to the question: Why do we need to make our lives miserable and take care of the NAC responding using special attributes for phones (e.g. Cisco-AVPair) in order for the switch to apply special configuration ("switchport voice vlan"...) when we could just treat the phones like "normal" clients, use the NAC-assigned VLAN and call it a day?
No comments:
Post a Comment