cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

391
Views
0
Helpful
6
Replies
leeh1002
Beginner

802.1X Authentication with VLAN assignment issue.

Hi there,

 

I plan to implement 802.1X authentication with  VLAN assignment on our network and assign different VLAN onto the access switch(Cat2960) according to end devices (for example, VLAN10 for WLAN, VLAN20 for voice, VLA30 for IPTV set-top box, VLAN40 for PC) after successful authentication.

The topology of network is (L3 backbone Switch: Cat6K) <-----> (L2 Access switch: Cat2960) <--------> (L2 Access switch: Cat2960) <--> WLAN/Voice/IPTV/PC. (Please refer to the attahced file for detailed topology)

I have to adhere to (L2 switch) <--> (L2 switch) topology due to cabling issue.

My question is below.

 1. To accommodate various VLAN of end devices, the only way is making trunk port on both L2 switches. is it possible?

     As far as I know, can't enable 802.1X on a trunk port. is it right?

2. If right, is there any solution ?

 

Thank you for your help. :-)

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Javier Henderson
Enthusiast

You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.

View solution in original post

Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).

View solution in original post

6 REPLIES 6
Javier Henderson
Enthusiast

You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.

View solution in original post

Hi Javier,

My understanding for your comment is that I can't use (L2 Switch) <--> (L2 Switch) <--> End-devices and the only possible topology is (L2 Switch) <--> End-devices.

Is it correct?

How about this topology?

     (L2 Switch-A)  Port #1 <-----> (L2 Switch-B) Port #1 <--> VLAN10: AP

                            Port #2  <-----> (L2 Switch-B) Port #2 <--->VLAN20: Voice

                            Port #3 <-------> (L2 Switch-B) Port #3 <---> VLAN30: IPTV Set-top Box , etc.

Is it possible solution?

 

Thank you for your advice.

My point is that you won't be activating 802.1x on the ports that are trunks between switches, only on the port(s) that will have end user devices.

So:

Switch-A <------> Switch-B

Above, you will have one port on Switch-A connected to one port on Switch-B, that presumably will be a trunk port, carrying multiple VLANs. You won't have 802.1x configured on either of those two ports.

Then, you will have end user computers on other ports on Switch-B. You will be configuring 802.1x on each of those ports, and on those ports only.

Hi Javier,

Thank  you for your answer.

 

That mean I can enable 802.1X ports, excepting trunk port on switch-B  to which end user is connected.

And 802.1X traffic(EAP) can pass though trunk port on Switch-B

Is it correct?

 

 

Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).

View solution in original post

Thank a lot.

 

Your advice was very helpful answer. :-)

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel