Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC and IP Phones

I have been reading the forums about NAC and  IP Phones, Cisco and Non Cisco. Can somebody help me understand how NAC works with LLDP and CDP for Phones. Will it automaticly bypass the phone since they will be on the voice vlan? Or how does that work. The previous Forms seem to be a bit confusing around this subject, escpically LLDP.

Any help would be great.


Community Member

Re: NAC and IP Phones

I'll take a shot at helping...

In our OOB Virtual Gateway deployment of  NAC 4.6  we are running 7960's on 4506's with PoE blades.  Computers are connected through the phones.

In our deployment CDP has nothing to do with I understand it.

We are using SNMP Mac-Notifications so NAC is waiting to learn about MACs on each port.  Our phone MACs are filtered in NAC to: "Ignore"

When the Switch sends the Mac-Notification to NAC, the IP Phone MAC addresses are Ignored, no action is taken.

here's a port config:

interface FastEthernet3/18
switchport access vlan 20
switchport mode access
switchport voice vlan 40
spanning-tree portfast

we had a very strange issue where about 25% of NAC-ed users were getting booted back to the Auth Vlan once a day, twice a day, twice a week?  It was very random.  A couple of users were getting thrown into the Auth Vlan every minute.  I had to un-NAC their switch port to get them (and me) some relief.

In the end we found that the 7960's of the Users experiencing the issue were not in the Filter List on NAC.  NAC was getting notified about the Phone MAC and toggling the port to the Auth vlan.  This of course had no impact on the phone (on the Voice Vlan.)  But the PC was getting dumped into the Auth Vlan so the Agent had to rerun/reauth.

Big caveat:   I'm a NAC Novice.  I'm not making any claims that CDP is irrelevant, unnecessary, or otherwise dismissable.  I'm just sharing my microscopic experience with our NAC install.


ps. we now use Profiler to populate the Filter list.  it wasn't yet in production when we had the issue.

CreatePlease to create content