Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1435
Views
0
Helpful
2
Replies

Cisco Switch Configuration for dot1x

Go to solution
Sp@wn
Level 1
Level 1

‎04-20-2020 10:37 AM

Hi,

 

Is it possible to make 802.1x only for data while there is both data and voice definition under the same port?

 

Regards,

Sp@wn

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎04-20-2020 01:04 PM

If you are using Cisco IP Phones and have CDP enabled, you can use CDP Bypass to allow the phones on in the Voice VLAN automatically and then only authenticate/authorize the Data device.  You would need to configure the switchport host-mode to be "single-host".  That will limit you to just one MAC address on the Data VLAN.  The downside of this type of setup is the lack of visibility of what phones are on the network and on which switches/ports.  Someone could spoof the phone MAC address and CDP messages to gain access to the Voice VLAN.  You could just authenticate the phones using MAB.  Just build a whitelist of your phone MAC addresses in ISE and it would only use up a Base license.  But that gives you the flexibility to use dACL's, centrally configured timeouts, etc.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
omid.delawar
Level 1
Level 1

‎04-20-2020 01:02 PM

Hi,

it is possible. Look at Multi-Domain Authentication Link below>
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/98523-8021x-cat-layer3.html#MDA
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎04-20-2020 01:04 PM

If you are using Cisco IP Phones and have CDP enabled, you can use CDP Bypass to allow the phones on in the Voice VLAN automatically and then only authenticate/authorize the Data device.  You would need to configure the switchport host-mode to be "single-host".  That will limit you to just one MAC address on the Data VLAN.  The downside of this type of setup is the lack of visibility of what phones are on the network and on which switches/ports.  Someone could spoof the phone MAC address and CDP messages to gain access to the Voice VLAN.  You could just authenticate the phones using MAB.  Just build a whitelist of your phone MAC addresses in ISE and it would only use up a Base license.  But that gives you the flexibility to use dACL's, centrally configured timeouts, etc.

0 Helpful
Customers Also Viewed These Support Documents
Top