MAC Authentication Bypass to enable Multiple Voice Vlans on Cisco switches

I have a network with Cisco Catalyst 2960X switches. We are rolling out a new phone system in phases. We want to keep the old system in place as we put in the new phones. To this end, we need multiple voice VLAN's. Another question on here pointed to a solution using MAC Authentication Bypass, but it did not give an example configuration. I am not familiar enough with the VoIP side to configure this, can someone please assist? (BTW, the other phone system is Allworx.)
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have configuration of MAB for voice on link that is provided in question link that you are referring to Deploying IP Telephony in IEEE 802.1X Networks Design and Configuration Guide
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
interface FastEthernet2/48
switchport access vlan 40
switchport mode access
switchport voice vlan 41
authentication host-mode multi-domain
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable
radius-server host key cisco123 

Open in new window

On recent IOS versions RADIUS and TACACS+ configuration code is changed
radius server RADIUS
 address ipv4 
 key cisco123

Open in new window

Some versions may or not allow port configuration after IP address
(address ipv4 auth-port 1645 acct-port 1646).
jconklin-ansinc-netAuthor Commented:
Predrag Jovic: The configuration only references 1 voice vlan. What I am needing is for phones from the Allworx system to reference, say, voice vlan 41, but the Cisco phones to reference voice vlan 42. I am not really seeing how the config you've done allows 2 phone systems.
Are you connecting 2 phones to one port?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jconklin-ansinc-netAuthor Commented:
Predrag Jovic: They want to be able to plug any phone into any port. There are 3 x 48-port switches and they don't want to have to track down every port and change configs every time they move a phone. I think they may even want to plug a hub into some ports and run more than 1 phone that way, so potentially, yes, there could be 2 phones in 1 port.
If there will be more than one phone you can't use configuration like above, I guess you would need to create a trunk interface. Plugging any phone is option even in the same VLAN, generally there is no need for 2 separate VLANs in one VLAN you can still configure two different IP address ranges and IP address reservation etc..
But, unfortunately, I am not deep in voice technology and typically on locations have everywhere one voice device and one data device on port, no more than that.
jconklin-ansinc-netAuthor Commented:
Predrag Jovic: You had recommended MAB in another thread also about multiple voice vlans. Is MAB not a solution to this issue? Can you trunk a voice vlan? Maybe using 2 sets of IP reservations is the answer. I will be working on this on Monday and respond then.
Is MAB not a solution to this issue?
There is a case where mab can push device is different vlan than it is configured on port, but I am not sure if it applicable here. Typically we are doing it for unauthorized devices - that do not pass RADIUS validation (devices are moved to restricted VLAN (typically used for guests)). That could be used, but security is problematic since any unauthorized device will be added to voice VLAN. What I see in productions is that devices are assigned to voice VLAN that is configured on port (already configured on port). Maybe issue could be resolved by dynamic VLAN assignment, but I am not sure about that solution.
Can you trunk a voice vlan?
Yes. You can configure port as trunk for voice devices (but it is considered problematic from security point of view), actually, there are 4 different possible configurations for ports on Cisco switch for voice port (excluding classic trunk configuration). Recommended voice port configuration in Cisco is just special trunk type (switchport voice vlan x). Maybe you could use configuration for voice below, but I never used it so far:
interface gigabitethernet0/1 
 mls qos trust cos
 switchport voice vlan dot1p

Open in new window

dot1p - Configure the phone to use IEEE 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all
traffic. By default, the Cisco IP Phone forwards the voice traffic with an IEEE 802.1p priority of 5.

I did not run into request for 2 different VLANs for voice on one port so far, and unfortunately, I don't have access to voice equipment at the moment to test possible solution.
The difficulty in your question is that commonly voice vlan auto assigns phones to Voice vlan based on ...

What you are trying is best done by using separate switches for new versus old.

Are you connecting both at the same time?
Are the old phones supported by the new pbx? Or

To achieve what you want, you would need to explicitly assign new phones to the new voice vlan.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jconklin-ansinc-netAuthor Commented:
I don't think MAB was relevant to the issue. We are going to use separate switches for the 2 systems.
jconklin-ansinc-netAuthor Commented:
I don't think MAB was relevant to the issue. We are going to use separate switches for the 2 systems.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.