Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2181
Views
0
Helpful
1
Replies

NAC and IP Phones

justin.allen
Level 1
Level 1

‎12-10-2009 06:43 AM - edited ‎02-21-2020 03:49 AM

I have been reading the forums about NAC and  IP Phones, Cisco and Non Cisco. Can somebody help me understand how NAC works with LLDP and CDP for Phones. Will it automaticly bypass the phone since they will be on the voice vlan? Or how does that work. The previous Forms seem to be a bit confusing around this subject, escpically LLDP.

Any help would be great.

Thanks

0 Helpful
1 Reply 1

kumezawa
Level 1
Level 1

‎01-13-2010 11:43 AM

I'll take a shot at helping...

In our OOB Virtual Gateway deployment of  NAC 4.6  we are running 7960's on 4506's with PoE blades.  Computers are connected through the phones.

In our deployment CDP has nothing to do with NAC...as I understand it.

We are using SNMP Mac-Notifications so NAC is waiting to learn about MACs on each port.  Our phone MACs are filtered in NAC to: "Ignore"

When the Switch sends the Mac-Notification to NAC, the IP Phone MAC addresses are Ignored, no action is taken.

here's a port config:

interface FastEthernet3/18
switchport access vlan 20
switchport mode access
switchport voice vlan 40
spanning-tree portfast

we had a very strange issue where about 25% of NAC-ed users were getting booted back to the Auth Vlan once a day, twice a day, twice a week?  It was very random.  A couple of users were getting thrown into the Auth Vlan every minute.  I had to un-NAC their switch port to get them (and me) some relief.

In the end we found that the 7960's of the Users experiencing the issue were not in the Filter List on NAC.  NAC was getting notified about the Phone MAC and toggling the port to the Auth vlan.  This of course had no impact on the phone (on the Voice Vlan.)  But the PC was getting dumped into the Auth Vlan so the Agent had to rerun/reauth.

Big caveat:   I'm a NAC Novice.  I'm not making any claims that CDP is irrelevant, unnecessary, or otherwise dismissable.  I'm just sharing my microscopic experience with our NAC install.

HTH

ps. we now use Profiler to populate the Filter list.  it wasn't yet in production when we had the issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card