12-17-2015 09:45 AM - edited 03-10-2019 11:20 PM
Hi there,
I plan to implement 802.1X authentication with VLAN assignment on our network and assign different VLAN onto the access switch(Cat2960) according to end devices (for example, VLAN10 for WLAN, VLAN20 for voice, VLA30 for IPTV set-top box, VLAN40 for PC) after successful authentication.
The topology of network is (L3 backbone Switch: Cat6K) <-----> (L2 Access switch: Cat2960) <--------> (L2 Access switch: Cat2960) <--> WLAN/Voice/IPTV/PC. (Please refer to the attahced file for detailed topology)
I have to adhere to (L2 switch) <--> (L2 switch) topology due to cabling issue.
My question is below.
1. To accommodate various VLAN of end devices, the only way is making trunk port on both L2 switches. is it possible?
As far as I know, can't enable 802.1X on a trunk port. is it right?
2. If right, is there any solution ?
Thank you for your help. :-)
Solved! Go to Solution.
12-17-2015 09:48 AM
You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.
12-17-2015 10:53 AM
Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).
12-17-2015 09:48 AM
You won't be running 802.1x on the trunk ports between switches, but rather on the ports to which the end-user devices connect.
12-17-2015 10:05 AM
Hi Javier,
My understanding for your comment is that I can't use (L2 Switch) <--> (L2 Switch) <--> End-devices and the only possible topology is (L2 Switch) <--> End-devices.
Is it correct?
How about this topology?
(L2 Switch-A) Port #1 <-----> (L2 Switch-B) Port #1 <--> VLAN10: AP
Port #2 <-----> (L2 Switch-B) Port #2 <--->VLAN20: Voice
Port #3 <-------> (L2 Switch-B) Port #3 <---> VLAN30: IPTV Set-top Box , etc.
Is it possible solution?
Thank you for your advice.
12-17-2015 10:24 AM
My point is that you won't be activating 802.1x on the ports that are trunks between switches, only on the port(s) that will have end user devices.
So:
Switch-A <------> Switch-B
Above, you will have one port on Switch-A connected to one port on Switch-B, that presumably will be a trunk port, carrying multiple VLANs. You won't have 802.1x configured on either of those two ports.
Then, you will have end user computers on other ports on Switch-B. You will be configuring 802.1x on each of those ports, and on those ports only.
12-17-2015 10:46 AM
Hi Javier,
Thank you for your answer.
That mean I can enable 802.1X ports, excepting trunk port on switch-B to which end user is connected.
And 802.1X traffic(EAP) can pass though trunk port on Switch-B
Is it correct?
12-17-2015 10:53 AM
Right, don't configure 802.1x on the trunk ports on either switch, A or B. Only on the ports on switch B that will have end user computers (or other devices with 802.1x supplicants).
12-17-2015 10:58 AM
Thank a lot.
Your advice was very helpful answer. :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide