10-04-2005 12:40 AM - edited 03-03-2019 12:15 AM
Morning,
Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
Is a RADIUS server able to provide values to change the native vlan?
Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
Thanks,
10-04-2005 01:57 AM
Voice VLAN's and Vlan assignment via 802.1x is possible and it works as I have tested it recently. The access VLAN is supplied by the Radius server in the AV pair value 81 (Tunnel-Pvt-Group-ID). The switch must be configured for network authorisation of this to work (aaa authorization network), as well as 802.1x being configured.
Dynamic VLAN's requires the use of VMPS, this is different to 802.1x in that the client device has no involvment. The VMPS Server (usually a Cat5000 switch or a URT appliance) has a list of MAC-to-VLAN mappings, so when a device connects the switch sends a request to the VMPS server for the VLAN of the MAC address (this is a simplistic view of what actually happens). Again this works independently of Voice VLAN's so your Voice VLAN's will work with this feature.
I have to question why anyone would need dynamic VLAN's though.......... Doesn't IP switch at wirespeed ;o)
HTH
Andy
10-04-2005 02:17 AM
Andy,
Thanks. So the access VLAN modifies the native VLAN? I was wondering if it only worked on access ports, rather than trunk ports.
The owner of a multi-tenant building wants to use the ACS to assign users to VLANs (via MAC addresses). It is supposed to simplify switch administration. The turn over of small companies renting space is usually quite high so the idea is that any incoming company gives over the MAC addresses of their machines, these are quickly entered into the ACS and made members of a group with a particular VLAN. It then doesn't matter which office they use, the ports will dynamically be placed into the correct VLAN. They can also then troll downstairs to the coffee bar or meeting rooms and use the copper ports and they'll be on their own VLAN straight away. Well that's the idea.
Any thoughts?
10-04-2005 02:39 AM
Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
switchport voice vlan 100
!
This is effectively the same as:
interface FastEthernet0/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,100
!
The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
QoS is not detailed anywhere here and that obviously plays an important role with voice.
In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
HTH
Andy
10-04-2005 02:55 AM
Andy,
Thanks for the switch config, I'll have to give it a go.
Regards,
Gareth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide