cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
0
Helpful
4
Replies

CCA OOB with IP Phones

jheckart
Level 3
Level 3

Hi,

I am currently considering NAC solution with Clean Access out of band, but am not sure how well this will work with IP phones. I have 700+ Cisco IP phones utilizing PoE, with a PC plugged into the back.

As I understand CCA OOB, if a user were to plug a PC into the back of a phone, the VLAN for the PC would change to an untrusted VLAN for compliance/remediation. I would obviously not have the voice vlan checked, but I'm not sure how well the phone would work while the access vlan on the port changes.

The access switches are a mix of 3550/60's, and the phones are a mix of 7912/60/70.

Does anyone have experience with this, good or bad?

Thanks.

1 Accepted Solution

Accepted Solutions

Here's the jist of the slide presentation:

OOB VoIp is configured using Profiles so that Voice traffic bypasses the CAS and Data traffic traverses the CAS. The phone is put into two separate VLANs. The phone's MAC Address then has to be added to a Filter Device so that it is in the Default Access VLAN and does not switch over to Auth VLAN.

The switch that the phone is plugged into is set for SNMP mac-notification only (no link up/down) so the CAS knows what device is connecting and doesnt bounce the port for a VLAN change. The Filter helps to do this. Apparently, you can also export all your VoIP MAC addresses via the Call Manager Bulk Admin Tool.

In the Profile Settings, create a new profile for the VoIP phones with Default Auth and Default Access VLANs. Ensure that "Switch VLAN if device is in global device filter list", "Switch to Default Access VLAN if certified and in OOB user list", and "Switch to Default Auth VLAN if certified but not in OOB user list" are checked.

I'm sure there is more, but this is what I jotted down from the slides. I hope this helps or at least points you in the right direction.

View solution in original post

4 Replies 4

jbalchunas
Level 1
Level 1

My company will be doing the same thing. I recently returned from a CCA class in Texas.The class material did not cover this, but the instructor had a few slides about how to setup CCA OOB with VoIP phones. Because the slides were still confidential, he could not distribute those to us.

I took some notes, but dont have them with me right now. I'll post what I have, probably tomorrow. The man in charge of CCA at Cisco put the presentation together, Nick Chong. I'm hoping that Cisco releases these soon so we can benefit from it.

Here's the jist of the slide presentation:

OOB VoIp is configured using Profiles so that Voice traffic bypasses the CAS and Data traffic traverses the CAS. The phone is put into two separate VLANs. The phone's MAC Address then has to be added to a Filter Device so that it is in the Default Access VLAN and does not switch over to Auth VLAN.

The switch that the phone is plugged into is set for SNMP mac-notification only (no link up/down) so the CAS knows what device is connecting and doesnt bounce the port for a VLAN change. The Filter helps to do this. Apparently, you can also export all your VoIP MAC addresses via the Call Manager Bulk Admin Tool.

In the Profile Settings, create a new profile for the VoIP phones with Default Auth and Default Access VLANs. Ensure that "Switch VLAN if device is in global device filter list", "Switch to Default Access VLAN if certified and in OOB user list", and "Switch to Default Auth VLAN if certified but not in OOB user list" are checked.

I'm sure there is more, but this is what I jotted down from the slides. I hope this helps or at least points you in the right direction.

Jbalchunas,

This was exactly what I was looking for. It hasn't made sense that Cisco's solution doesn't support Cisco's IP phones.

We have some demo gear that I will give this a try with.

Thanks,

Jeff

Glad I could help

-Joe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: