Developers guide

Chapter 14

More on VoIP Integration

VoIP has been growing in popularity on enterprise networks. At first sight, the IT administrators think

that deploying VoIP with a NAC poses a huge complicated challenge to resolve. In fact, depending of the

hardware you have, not really. In this section, we will see why.

CDP and LLDP are your friend

For those of you who are unaware of the existence of CDP or LLDP (or LLDP-MED), I suggest you start

reading on this topic. Cisco Discovery Protocol (CDP) is device-discovery protocol that runs on all Cisco-

manufactured equipment including routers, access servers, bridges, and switches. Using CDP, a device

can advertise its existence to other devices and receive information about other devices on the same

LAN or on the remote side of a WAN. In the world of VoIP, CDP is able to determine if the connecting

device is an IP Phone or not, and tell the IP Phone to tag its ethernet frame using the configured voice

VLAN on the switchport.

On many other vendors, you are likely to find LLDP or LLDP-MED support. Link Layer Discovery Protocol

(LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by network devices for

advertising their identity, capabilities, and neighbors. Same as CDP, LLDP can tell an IP Phone which VLAN

id is the voice VLAN.

VoIP and VLAN assignment techniques

As you already know, PacketFence supports many VLAN assignment techniques such as port-security,

mac authentication or 802.1X. Let’s see how VoIP is doing with each of those.

Port-security

Using port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using the configured voice

VLAN on the switch port. After that, we ensure that a security trap is sent from the voice VLAN so that

PacketFence can authorize the mac address on the port. When the PC connects, another security trap

will be sent, but from the data VLAN. That way, we will have 1 mac address authorized on the voice

VLAN, and 1 on the access VLAN.