Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2666
Views
0
Helpful
5
Replies

802.1x and Voice VLAN

Go to solution
littlespace
Level 1
Level 1

‎09-18-2012 08:25 AM - last edited on ‎03-25-2019 04:21 PM by Community Manager

Hi,

I have a Cisco 6509 with IOS "s222-ipservicesk9_wan-mz.122-18.SXF16.bin"

I need to enable dot1x on user's ports on the switch. each user is connected to the switch through the IP phone.

I just found out that I can not enabled dot1x on trunk port. I have tried to use "switchport voice vlan " but I got:

Switch(config-if)#switchport voice vlan 123

Command rejected: Gi7/20 is Dot1x enabled port.

Could you please let me know what should I do to get dot1x working?

Note: I have connected a laptop directly to the port and dot1x is working fine.

Thanks,

Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
barry
Level 7
Level 7

‎09-18-2012 08:44 AM

Hi Mike

Alas, you are going to have to upgrade your IOS. Dot1X and voice vlan on the same port is not supported on older IOS releases. I don't have the release notes to hand - you'll need to carefully check and plan to upgrade.

Sorry to be the bearer of bad news. Looknig at some high level docs, I think you're going to have to get to at least 12.2(33)SXH.

Barry Hesk

Network Consultant

Intrinsic Network Solutions Limited

===

In releases earlier than Release 12.2(33)SXH, a switch in single-host mode accepted traffic from a single host, and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until the client was authenticated on the primary VLAN, which makes the IP phone inoperable until the user logged in.

With Release 12.2(33)SXH and later releases, the IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of 802.1X authentication.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.

In order to recognize an IP phone, the switch will allow CDP traffic on a port regardless of the authorization state of the port. A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.1X authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.

View solution in original post

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to littlespace

‎09-18-2012 11:55 AM

Hi Mike

Alas, I don't think so. See "hardware requirements" in the release notes for the SX releases.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/hardware.html

Barry

Barry Hesk

Network Consultant

Intrinsic Network Solutions Limited

PS: Definitely no support for Sup 2, as per the EOS notice for the 12.2(18) release:

Please note that 12.2(18)SXF software is available on Cisco.com for download only for the Supervisor 2 customers who wish upgrade their current version and feature set. Cisco IOS Software Releases 12.2(33)SXH and 12.2(33)SXI do not support the Cisco Catalyst 6500 Supervisor Engine 2

View solution in original post

0 Helpful
5 Replies 5

Go to solution
barry
Level 7
Level 7

‎09-18-2012 08:44 AM

Hi Mike

Alas, you are going to have to upgrade your IOS. Dot1X and voice vlan on the same port is not supported on older IOS releases. I don't have the release notes to hand - you'll need to carefully check and plan to upgrade.

Sorry to be the bearer of bad news. Looknig at some high level docs, I think you're going to have to get to at least 12.2(33)SXH.

Barry Hesk

Network Consultant

Intrinsic Network Solutions Limited

===

In releases earlier than Release 12.2(33)SXH, a switch in single-host mode accepted traffic from a single host, and voice traffic was not allowed. In multiple-hosts mode, the switch did not accept voice traffic until the client was authenticated on the primary VLAN, which makes the IP phone inoperable until the user logged in.

With Release 12.2(33)SXH and later releases, the IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows the phone to work independently of 802.1X authentication.

In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.

In order to recognize an IP phone, the switch will allow CDP traffic on a port regardless of the authorization state of the port. A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.1X authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized IP phones more than one hop away.

0 Helpful

Go to solution
littlespace
Level 1
Level 1
In response to barry

‎09-18-2012 08:56 AM

Hi Barry,

Thanks for your reply. Do you know if I can upgrade to IOS 12.2(33)SXH  on SUP2 modules?

Thanks,

Mike

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to littlespace

‎09-18-2012 11:55 AM

Hi Mike

Alas, I don't think so. See "hardware requirements" in the release notes for the SX releases.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/hardware.html

Barry

Barry Hesk

Network Consultant

Intrinsic Network Solutions Limited

PS: Definitely no support for Sup 2, as per the EOS notice for the 12.2(18) release:

Please note that 12.2(18)SXF software is available on Cisco.com for download only for the Supervisor 2 customers who wish upgrade their current version and feature set. Cisco IOS Software Releases 12.2(33)SXH and 12.2(33)SXI do not support the Cisco Catalyst 6500 Supervisor Engine 2

0 Helpful

Go to solution
littlespace
Level 1
Level 1
In response to barry

‎09-18-2012 12:29 PM

I have decided to upgrade sup2 to WS-SUP32-GE-3B , I think it will be ok after that, right?

Thanks,

Mike

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to littlespace

‎09-20-2012 03:12 AM

Hi Mike

Yes, again, I don't have the release notes to hand, but I'm 99.9% sure that the SUP32 will support the SXH releases.

Barry

Barry Hesk

Intrinsic Network Solutions

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card