We just received Cisco 4321 and 4331 routers with 2x NIM-ES2-8-P modules installed that we planned on using to backfill older switches and routers in areas with less than 14 users. The switch ports on the modules will be used as access ports and company policy is to configure all access ports with MAB authentication for all workstations and VoIP phones. We used the configuration below on the ports, but the problem is the VoIP phones won't authenticate; the option to use dot1x host-mode multi-domain is not available (see output). We have IP Base licenses and the securityK9 license activated, not sure if it's an IOS defect, that way on purpose, I don't have a certain license, or if I'm missing a command to activate it. Any ideas on how we can get VoIP working with this scenario? !==== Basic interface ==== interface GigabitEthernet0/1/0 description //Access Port// switchport access vlan 2 switchport mode access switchport nonegotiate switchport voice vlan 3 switchport priority extend trust no logging event link-status dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x mac-auth-bypass spanning-tree portfast spanning-tree bpduguard enable end !==== Missing 'multi-domain'==== Router(config-if)#dot1x host-mode ? multi-host Multiple Host Mode single-host Single Host Mode !==== !==== aaa configs (radius server config ommited) ==== aaa new-model ! ! aaa group server radius RAD-Servers server name rad2 server name rad3 ip radius source-interface Vlan20 ! aaa authentication dot1x default group RAD-Servers aaa authorization network default group RAD-Servers aaa accounting dot1x default start-stop group RAD-Servers ! dot1x system-auth-control
... View more
Policy mainly. All traffic across the transport network needs to be encrypted. Part of it is to keep an unmanaged internet access network separated from the corporate client network. Same with the security camera network, another network running over the transport. Don't want someone to get into a camera port and some how manage to gain access to the client network or see the traffic on it. That and transport network is owned and managed by a different entity than the client networks, I just work on both.
... View more
I currently have a large campus with multiple networks tunneling over a single inner campus transport network. Currently, these networks are using DOT1Q tunneling to connect to one another and the VLANs for each "client" network extend to every building on the campus. I'd to encrypt the traffic of the client networks before it gets to the transport network with IPSEC, but still maintain these campus wide VLANs.
Is there a way to do this with only one L3 switch in each building? I know Q-in-Q would likely be a good solution, but, as I understand it, I'd have to get an additional device for each building and don't want to suffer that expense. Also heard MACsec might be a good solution, but know little about it and am not sure if our current switches support it.
I'd essentially like to turn the in-side of the tunnel interface into a trunk port. Diagram below is the concept.
... View more