Wed Feb 01, 2023 4:21 pm
Certainly the DHCP option method works with Yealink phones - they initially make a DHCP request untagged, then release the address provided and make a second DHCP request tagged on the VLAN specified in the options from the first DHCP reply.
At the time (prior to RouterOS V6.48) there was no support for LLDP-MED network policy VLAN, this is probably the most straightforward method.
The DHCP vendor-class-id matcher was replaced with a generic matcher as of RouterOS 7.4 so any implementations on older versions will require some rework when their RouterOS is upgraded.
802.1X requires support by every edge switch port, and a RADIUS server with a database of MAC addresses, user credentials or certificates, the new RouterOS 7 user manager may be sufficient for some setups rather than a separate RADIUS server.
LLDP-MED, DHCP vendor and 802.1X MAC authorisation can all still be spoofed by non-telephony client devices having a VLAN tag set manually to gain access to the telephony network or faking DHCP requests / MAC address, you will have to assess if this is a real issue or not for your use case.
Full 802.1X with user credentials or certificates is secure but involves managment of the client database and provisioning new devices with credentials or certificates.