Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
3
Replies

Cisco3750 802.1X LLDP Voice and Data Routing

xavierloza1
Level 1
Level 1

‎05-21-2015 11:49 PM - edited ‎03-08-2019 12:07 AM

Hello all,

Let me know if you could kindly help me out. I'm setting up 802.1x and LLDP on a Cisco3750 switch. I've configured two DHCP pools; one for voice and one for data. My IP phone is configured with EAP-TLS is able to authenticate with the freeRADIUS server. Next, the IP phone and switch send their LLDP advertisements and the phone picks up an address in the voice VLAN. Since multi-host is enabled, my laptop is able to pick up an IP lease in the data VLAN. From my laptop (192.168.13.x), I'm able to reach both management IP addresses 192.168.13.2 and 192.168.88.1; however, I'm unable to reach my IP phone which picks up an address in the 192.168.88.0/24 range. As you can see "ip routing" is enabled so both subnets should be routable. Also, from the switch, I'm unable to reach the IP phone as well, even though we have a connected interface. I'm not sure what's causing the IP phones in the 192.168.88.0/24 range to not be able to reach gateway address 192.168.88.1 which is the VLAN management IP for voice. If I remove all 802.1x configuration from the interface, routing between the two subnets works with LLDP. I'm thinking that once 802.1x authentication is successful, all traffic and routing should be allowed to flow through, but something is stopping communication between voice and data VLANs.  Any ideas? Thank you all!

 

Laptop --> IP Phone --> Cisco3750 --> freeRADIUS

-----

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!

cisp enable

ip routing

ip dhcp pool VOICE
   network 192.168.88.0 255.255.255.0
   default-router 192.168.88.1
!
ip dhcp pool VLAN13
   network 192.168.13.0 255.255.255.0
   default-router 192.168.13.2

dot1x system-auth-control

network-policy profile 10
 voice vlan 2
 voice-signaling vlan 2

lldp run

interface FastEthernet2/0/18
 switchport access vlan 13
 switchport mode access
 network-policy 10
 authentication order dot1x
 authentication priority dot1x
 authentication port-control auto
 authentication host-mode multi-host
 dot1x pae authenticator
 spanning-tree portfast

interface Vlan2
 ip address 192.168.88.1 255.255.255.0

interface Vlan13
 ip address 192.168.13.2 255.255.255.0

ip radius source-interface Vlan13

radius-server host 192.168.13.1 auth-port 1812 acct-port 1813 key MYPASSWORD

----

Labels:
0 Helpful
3 Replies 3

xavierloza1
Level 1
Level 1

‎05-27-2015 09:12 PM

Any idea, anyone?

0 Helpful

xavierloza1
Level 1
Level 1
In response to xavierloza1

‎07-29-2015 10:22 PM

No one is able to help me out with this one? 

0 Helpful

Hitesh Vinzoda
Level 4
Level 4

‎07-29-2015 10:59 PM

Hi,

LLDP and CDP are allowed before the authentication happens so to me it looks like that authentication is unsuccessful.

Would you be able to check FreeRADIUS logs for access reject or accept messages.

 

Thanks

Hitesh

0 Helpful
Customers Also Viewed These Support Documents