Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

CCA OOB with IP Phones

Hi,

I am currently considering NAC solution with Clean Access out of band, but am not sure how well this will work with IP phones. I have 700+ Cisco IP phones utilizing PoE, with a PC plugged into the back.

As I understand CCA OOB, if a user were to plug a PC into the back of a phone, the VLAN for the PC would change to an untrusted VLAN for compliance/remediation. I would obviously not have the voice vlan checked, but I'm not sure how well the phone would work while the access vlan on the port changes.

The access switches are a mix of 3550/60's, and the phones are a mix of 7912/60/70.

Does anyone have experience with this, good or bad?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: CCA OOB with IP Phones

Here's the jist of the slide presentation:

OOB VoIp is configured using Profiles so that Voice traffic bypasses the CAS and Data traffic traverses the CAS. The phone is put into two separate VLANs. The phone's MAC Address then has to be added to a Filter Device so that it is in the Default Access VLAN and does not switch over to Auth VLAN.

The switch that the phone is plugged into is set for SNMP mac-notification only (no link up/down) so the CAS knows what device is connecting and doesnt bounce the port for a VLAN change. The Filter helps to do this. Apparently, you can also export all your VoIP MAC addresses via the Call Manager Bulk Admin Tool.

In the Profile Settings, create a new profile for the VoIP phones with Default Auth and Default Access VLANs. Ensure that "Switch VLAN if device is in global device filter list", "Switch to Default Access VLAN if certified and in OOB user list", and "Switch to Default Auth VLAN if certified but not in OOB user list" are checked.

I'm sure there is more, but this is what I jotted down from the slides. I hope this helps or at least points you in the right direction.

4 REPLIES
New Member

Re: CCA OOB with IP Phones

My company will be doing the same thing. I recently returned from a CCA class in Texas.The class material did not cover this, but the instructor had a few slides about how to setup CCA OOB with VoIP phones. Because the slides were still confidential, he could not distribute those to us.

I took some notes, but dont have them with me right now. I'll post what I have, probably tomorrow. The man in charge of CCA at Cisco put the presentation together, Nick Chong. I'm hoping that Cisco releases these soon so we can benefit from it.

New Member

Re: CCA OOB with IP Phones

Here's the jist of the slide presentation:

OOB VoIp is configured using Profiles so that Voice traffic bypasses the CAS and Data traffic traverses the CAS. The phone is put into two separate VLANs. The phone's MAC Address then has to be added to a Filter Device so that it is in the Default Access VLAN and does not switch over to Auth VLAN.

The switch that the phone is plugged into is set for SNMP mac-notification only (no link up/down) so the CAS knows what device is connecting and doesnt bounce the port for a VLAN change. The Filter helps to do this. Apparently, you can also export all your VoIP MAC addresses via the Call Manager Bulk Admin Tool.

In the Profile Settings, create a new profile for the VoIP phones with Default Auth and Default Access VLANs. Ensure that "Switch VLAN if device is in global device filter list", "Switch to Default Access VLAN if certified and in OOB user list", and "Switch to Default Auth VLAN if certified but not in OOB user list" are checked.

I'm sure there is more, but this is what I jotted down from the slides. I hope this helps or at least points you in the right direction.

New Member

Re: CCA OOB with IP Phones

Jbalchunas,

This was exactly what I was looking for. It hasn't made sense that Cisco's solution doesn't support Cisco's IP phones.

We have some demo gear that I will give this a try with.

Thanks,

Jeff

New Member

Re: CCA OOB with IP Phones

Glad I could help

-Joe

125
Views
0
Helpful
4
Replies
CreatePlease to create content