Voip Phones: VMPS mode

Introduction

To do: The topic of IP Phones and VMPS has come up for discussion many times, it would be useful to have a document with our knowledge to date.

Tests have been done several times since 2006, but we don't yet have a productive installion with a Voip phone population to documents tests in detail.

In principle, Cisco Phones on recent IOS switches should work.

Some links to relevant Forum topics on using Cisco Voip phone with a Voice Vlan for the phone, and VMPS for the PC connected to the phone

Switchport VOICE vlan..
http://www.freenac.net/phpBB2/viewtopic.php?t=113
(this thread that is two pages long)

1. Initial tests

Cisco IP Phone 7960

Firmware version: 7.4
Application Load ID: POS3-07-4-00
Boot Load ID: PC03A300
DSP Load IP: PS03AT45

Tests done:

In the switch, the port where the ip phone is connecting to was configured to have a voice vlan=524.

When plugging in the IP phone, VMPS detects the phone and says DENY, but the IP phone is able to get an IP address because in the switch the voice vlan is set to 524.

If we remove the voice vlan from that port, then the phone can't get any IP address.

Then, modifying the database, telling VMPS to return the VLAN 524 when the IP is connected to the switch we get:

vmpsd: ==================================
vmpsd: VQP Request
vmpsd: Unknown: 1
vmpsd: Request Type: 1
vmpsd: Response: 0
vmpsd: No. Data Items: 6
vmpsd: Sequence No.: 38
vmpsd: Client IP address: 192.168.254.26
vmpsd: Port name: Fa0/2
vmpsd: Vlan name: --NONE--
vmpsd: Domain name: seclab2
vmpsd: MAC address: 0007eb18390d
vmpsd_external[5218]: decide: Request for (192.168.254.26,Fa0/2) unknown(0007.eb18.390d), KEINE, vlan=524
vmpsd_external[5218]: Debug1: decide: Check for hubs..
vmpsd_external[5218]: get_port_status: found 00b0.d00c.64b2, vlan=521, 2006-10-25 10:16:51
vmpsd_external[5218]: ping 192.168.201.226 - 00b0.d00c.64b2 <----- IP and MAC of the device that was connected prior to the connection of the IP phone.
vmpsd_external[5218]: Ping Error no answer: PING 192.168.201.226 (192.168.201.226) 56(84) bytes of data. --- 192.168.201.226 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1001ms
vmpsd_external[5218]: Debug1: get_port_status: no conflict since IP is invalid or cannot be pinged. Flap is still a risk..
vmpsd_external[5218]: decide: unknown, KEINE, vlan result=524 on switch 192.168.254.26 Fa0/2
vmpsd_external[5218]: Debug1: DecidedVlan=524
vmpsd: External prog says: ALLOW IP_Phone
vmpsd: ALLOW: 0007eb18390d -> IP_Phone, switch 192.168.254.26 port Fa0/2

The phone can't get any IP address. Voice Vlan has to be configured on the port.

Configuring again the voice VLAN on the port, next we do some tests with the IP phone's port that connects to the PC.

When connecting the laptop to the IP phone's port, VMPS works as usual and the connecting laptop can get access depending on its rights in the database.

If an authorized laptop connects to the phone's port, a request is sent to VMPS and VMPS returns the VLAN and the computer gets an IP. Then, if we unplug that laptop and connect a unauthorized laptop to the phone's port, there are no more requests coming to VMPS and the unauthorized laptop can use the network because the switch's port is opened due to the previous successful VMPS request.

The status of the switch's port will be the one of the first connection to the phone's port. Further connections to the phone's port doesn't generate VMPS requests and therefore the switch port status will be always the same as the first VMPS request.

The only way to generate more VMPS requests is shutting down the phone.

Next. Shut down the phone, connect the laptop to the phone's port and turn the phone on. The laptop connected to the IP phone is allowed in the VMPS db. Then, plug the phone to the switch port. This generates one VMPS request per device, one for the IP phone and another one for the laptop.

Now, if we just shut down the phone and shut it on again without unpluging the phone from the switch, it generates only one VMPS request for the laptop, but it does not generate one for the IP Phone.

2. Comments from Dago

Made some first tests to have Cisco 79x0 phones with VMPS

The objective was to have the phone on the voice vlan & the pc connecting
through the phone on a vmps-assigned VLAN.

With the configuration below, it is possible to have that working correctly. The phone goes automagically on VLAN 521 (with the CDP hack) while the pc goes on vmps-assigned vlan. If you look into the DB, VMPS doesn't see the phone while the connecting PC is authenticated trough VMPS each time it reconnects.

- switch configuration :

!

cdp run

!

interface GigabitEthernet1/0/2

 description 5.076_5.12_dago_test

 switchport access vlan dynamic

 switchport mode access

 switchport voice vlan 521

 cdp enable

 spanning-tree portfast

!

- phone configuration : network port 2 type = PC (not Switch/Hub !)

3: Comments from Erich

Cisco

• VoIP auf Catalyst 3750 funktioniert tadellos, d.h. IP Phone wird nicht authentifiziert (veil voice Vlan fix ist), aber der PC hinter dem Phone schon.
  => das mit den IP Phones ist genau 'work as designed', also technisch korrekt
• VoIP auf Catalyst 3500XL, also einem älteren Model
  => geht nicht: entweder funktioniert FreeNAC mit dem Device, aber die IP Phones funktionieren nicht mehr, oder es ist genau umgekehrt
• Ich werde da mal forschen, welche Devices sicher nicht gehen und welche gehen sollten, jedoch werde ich/ENG keine Funktionsgarantie abgeben können!
• [Sean Note]: please specify the exact firmware versions tested, and the use cases.

Nortel

• Nortel hat ein komplett anderes Bootup Verfahren bei den IP Phones, hier muss ich zuerst jemanden finden der eine Referenz-Installation machen könnte
  => tendenziell wird Nortel VoIP ein 'Würg' weil sich die IP Phone zuerst als 'normales' Device anmelden und in einem zweiten Schritt nochmals booten um sich als IP Phone anzumelden, sprich irgendwie müssen die IP Phones Phase 1 überleben (also bei SC NAC registrieren obwohl sie es nur nach einem Factory Reset benötigen...)
• [Sean Note]: I only expect Cisco phones to work, since VMPS is Cisco proprietary.

Siemens

Hier weiss ich nicht einmal wie ich zu einer Referenz-Installation komme, ebenso habe ich da wenig Know How über die IP Phone Registrierung.

[Sean Note]: I only expect Cisco phones to work, since VMPS is Cisco proprietary.