Monday, June 2, 2008

Cisco NAC with IP Phones


One question that many people ask is how to deal with IP Phones during your NAC Deployment. Well the easy answer is "it depends", but what does it really depend on...

Identify all of the phones:

To find all of the phones on your network you may manually go through your Call-Manager or other Voice Server and export a list or utilize Cisco NAC Profiler to find all the phones. Please note that you must keep an updated list of all IP Phones in the CAM Device Filter Table in order for NAC to exclude the phones.

Determine your NAC deployment type:

When deploying an In-Band (IB) NAC Deployment, handling phones is very simplistic. One deployment option is when all of the phones are on a Voice VLAN they should bypass NAC. Meaning if the voice VLAN is NOT be bridged or routed through the CAS, the phones will never go through NAC. Another possibility, is the phones are on the same VLAN as users.(Please note it is a best practice to separate your voice devices from data devices for security reasons and also performance/QoS). If you do have data and voice merged and you have an IB deployment, then identify all phones' MAC Addresses and add them into the Device Filter Table as an "Allow Filter". This allows the MAC Addresses of the phones to go through the CAS without authentication or posture assessment.

Figure 1 - Allow Filter for a phone (IB deployment with Data/Voice Combined)

When deploying an Out-of-Band (OOB) NAC deployment, there are a few more things to think about. OOB works by setting a port's VLAN to an authentication/quarantine VLAN during the NAC process and then changing the VLAN to an access VLAN after the user is finished. When PCs are plugged into phones, you must ensure a few basics are covered.

Don't miss a call, even when NAC is deployed:

The first basic step required to make sure NAC does not interfere with phones is to ignore all traps regarding phones plugging in. This is done, by adding in a device filter with the type "ignore" into the CAM. Please note that this configuration is regardless of the vendor/type of phone.

Figure 2 - Ignore Filter for a phone (OOB deployment)
The next step is to ensure that all port profiles being used do not bounce the port for OOB. If the CAM bounces the port then the Phone in front of the PC will get rebooted which will then cause missed calls,etc.

If you ensure these two steps are performed, then deploying NAC with phones is going to be easy.

Behind the scenes:

Cisco NAC Appliance may be deployed with most any type of phone. The key is to understand how NAC works. There are two basic ways to configure a switchport with a PC and a Phone:

Switchport with a Cisco IP Phone or other vendor IP Phone using CDP:

interface gigabitethernet 0/1
switchport mode access
switchport access vlan 10 <--- This is the VLAN NAC will change switchport voice vlan 11 <-- NAC will NEVER change this VLAN With this deployment type, NAC will never modify the voice VLAN thus never affect the phone. Switchport with an Avaya IP Phone or other vendor IP Phone using Trunking:

interface gigabitethernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10 <--- This is the VLAN NAC will change In this example, the phone will be tagging its frames on the Voice VLAN and the phone must pass the PC's frames through untagged. This ensures that the CAM can change the native VLAN of the port which will force the PC to either go through NAC or not. Summary:

Hopefully this answers everyones questions of how to deploy Cisco NAC Appliance with IP Phones. Keep the questions coming( and I will be sure to keep posting!

No comments:

Post a Comment