Re: 3750 with trunk, 8021.x and ipphone (ericsson)

gael.clavadetscher · ‎09-27-2007

Hello,

Well...

We have ports in access mode with 802.1x working perfectly (see config #1 bellow)

We have ports in trunk mode for ericsson iphone (vlan 9) with a pc behind (vlan 8) working also perfectly (see config #2 bellow)

But but.... how can I have both on same ports?

As we can't use 802.1x in trunk mode and as Ericsson ipphone doesn't seem to support swichport voice mode, except to change the ipphone is there any way to be able to protect the PC behind the phone and have different vlan for data and voice?

Thanks for your very valuable help.

Gael

config #1

interface FastEthernet1/0/31

description test 802.1x

switchport access vlan 8

switchport mode access

no logging event link-status

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

spanning-tree portfast

spanning-tree bpduguard enable

config #2

interface FastEthernet1/0/27

switchport trunk encapsulation dot1q

switchport trunk native vlan 8

switchport mode trunk

no logging event link-status

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust cos

no snmp trap link-status

auto qos voip trust

spanning-tree bpduguard enable

didyap · ‎10-04-2007

I don't think this is possible except if you change the ip phone. The PC cannot recognize trunked switch frames. You can configure vlan 8 (or the vlan to which PC belongs) to native vlan, but this will create problem for the ip phone.

krkosiorek · ‎10-04-2007

Have you tried something like this:

interface FastEthernet1/0/27

switchport trunk encapsulation dot1q

switchport trunk native vlan 8

switchport mode trunk

switchport voice vlan 9

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree bpduguard enable

gael.clavadetscher · ‎10-05-2007

Hi,

Thanks for the proposal, but we can't configure dot1x with a trunk (so far I know and tried).

I'm in contact with Ericsson, according to them, the switchport voice 9 do effectivaly works,

So the following configuration is ok

interface FastEthernet1/0/27

switchport access vlan 8

switchport mode access

switchport voice vlan 9

spanning-tree portfast

spanning-tree bpduguard enable

Now if I add 802.1x

dot1x authenticator pae

dot1x port-control auto

they is some trouble, I tried

dot1x host-mode multi-domain

and to configure the radius to let the switch know that they is 2 domain (defauk -> data and one voice)

But so far I'm not successfull, I'm waiting some more info from Ericsson to solve this problem.

thanks

gael

gael.clavadetscher · ‎10-05-2007

Hello again,

According to Ericsson support it is not possible so if we want to have 802.1x activated with Ericsson ipphone we will need to have one port for pc and one for ipphone..... If somebody can prove me the opposite i will be the first interested :-)

Thanks

Gael

Hi, krkosiorek

For your info here is what happen if we try to add a trunk to a 802.1x enable port.

interface FastEthernet2/0/31

description test 802.1x

switchport trunk encapsulation dot1q

switchport mode access

switchport voice vlan 222

no logging event link-status

no snmp trap link-status

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-domain

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

end

NYHQSWA-R01(config-if)#switchport mode tru

Command rejected: Conflict with dot1x.

Dot1x must be disabled before changing port mode.

NYHQSWA-R01(config-if)#

krkosiorek · ‎10-05-2007

I must have missed the dot1x authentication part of your config the first time. The below was taken from a Cisco document. Seems to confirm your findings.

----------------------------------------------

802.1X Configuration Guidelines

These are some configuration guidelines and operating characteristics of 802.1X authentication:

?When 802.1X is enabled, ports are authenticated before any other Layer 2 features are enabled.

?The 802.1X protocol is supported on Layer 2 static-access ports, but it is not supported on these port types:

?Trunk port?If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, the port mode is not changed.

?Dynamic ports?A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable 802.1X on a dynamic port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to dynamic, the port mode is not changed.

?Dynamic-access ports?If you try to enable 802.1X on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and 802.1X is not enabled. If you try to change an 802.1X-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

?EtherChannel port?Before enabling 802.1X on the port, you must first remove it from the EtherChannel. If you try to enable 802.1X on an EtherChannel or on an active port in an EtherChannel, an error message appears, and 802.1X is not enabled. If you enable 802.1X on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

?Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports?You can enable 802.1X on a port that is a SPAN or RSPAN destination or reflector port. However, 802.1X is disabled until the port is removed as a SPAN or RSPAN destination or reflector port. You can enable 802.1X on a SPAN or RSPAN source port.

?When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.