Ok here's a question for you that so far has been the 'showstopper' for a CCA deployment in my company:
We have a 100% cisco network (2821 router sand 3560G-PoE and 6509 switches) but have non-Cisco voip phones. Switchports are configured with 'switchport access vlan [datavlan]' and 'switchport voice vlan [voicevlan]'. PCs plug into the phones, which then plug into the switchports. When a phone boots, it is initially in the native [datavlan]. It does a DHCP broadcast, and gets a respone from the DHCP server which includes an special option that tells the phone what voice vlan it needs to be in (PCs just ignore the option.) The phone then reboots, and does dot1Q trunking in [voicevlan], does another DHCP broadcast, and the subsequent DHCP offer includes the phone's final IP address in the [voicevlan], the IP address of the communications gateway, tftpserver for code updates, etc.
Yes, I know this all seems a little convoluted, but its the way the two biggest non-Cisco voip vendors play in a cisco data network since they don't have CDP. And, it actually works pretty well, all things considered.
So, in a CCA L3 OOB environment, the showstopper is that once a PC has been cleaned/validated and is going to be granted access to the network, the entire switchport needed to be 'bounced' (i.e. a 'shutdown' and 'no shutdown') in order for the PC to sense the loss of connectivity, and then re-DHCP in order to pick up the new 'out-of-band' VLAN. This, of course, will also bounce the voip phone in the process, thus dropping the call, and forcing the phone to go through the aforementioned double-DHCP boot process.
This was supposed to be fixed by the new 4.0 CCA code, but the release notes still carry a message that 'it will be fixed in a future maintenance release'.
Anyone out there know the status of this? And, anyone out there running CCA in conjunction with a non-Cisco voip implementation?
Hi there, We are just about to deploy NAC with non-cisco phones and PCs are connected to VoIP phones. All ports on 3560 switches are set to trunk port as phone does taggin for voice and untagging for the PC. I guess it's almost identical to your deployment, we have dhcp server which gives out cofig file name, ftp server etc.
I was told by consultant that trunk ports won't work with NAC OOB solution. I was wondering how you handled this situcation ? ANy luck resolving this ? Do you have any advise for us ?
V4.1.2 works for IP Phones. It also works with nortel phones, last I tried. The NAC Agent or Web Login (via activex/or java applet) will do an ip release/renew, so u don't have to bounce the port. The issue I am finding is when you clear the certified list, the PC stays on the L3 userole VLAN, but the switch port changes back to the the auth vlan. This is because the switchport cannot be bounced with an IP Phone, so the PC doesn't know to release/renew, and the NAC Agent or Web Login (via activex/or java) doesn't do a release/renew. I am going to port this question to the forum.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...