Kingsley, Interesting, that is exactly what I was looking for:
multi-domain-Both a host and a voice device (like an IP phone, Cisco or non-Cisco), to authenticate on an IEEE 802.1X-authorized port. Thanks a lot for the information. Did you check the solution, is that how the configured it? Mike Date: Mon, 7 May 2012 10:21:54 +0530 Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan From: [email protected] To: [email protected] CC: [email protected] Multihost mode is meant for case where the port is connected to a hub which has many PCs connected. The first one needs to authenticate and the port is authorized. The others need not authorize. In this mode, IP phone will be treated as a normal node. In Multi-domain, we tell the switch that there is IP phone also connected and it should be given a special treatment. In single-host mode, only one device is allowed. Now, if you have the PC connected via IP phone to port, then you have two devices and the port with fall into violation mode. Thus we need to configure multi-domain mode. Snippet from 802.1X Violation Modehttp://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1376150 You can use the authentication violation interface configuration command to configure the violation mode: restrict or shutdown. In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Security violation cannot be triggered in multiple-host mode or multiauthentication mode. When security violation occurs, the port is protected depending on the configured violation action: Shutdown—Errdisables the port; the default behavior on a port. Restrict—The port state is unaffected. However the platform is notified to restrict the traffic from offending MAC-address. With regards Kings On Mon, May 7, 2012 at 7:56 AM, Mike Rojas <[email protected]> wrote: Hi Kings, That is lab 15 right? I Did that one today. Why is it multi-domain? Shouldnt it be multi-host? I finished the lab and I have to review over the solution but it just said "If authenticated, pleace it on vlan x". That is all I did. Like I said, I have to compare both configs, but I guess if not specified then just use the authenticated vlan. Mike Date: Sun, 6 May 2012 01:39:07 +0530 From: [email protected] To: [email protected] Subject: [OSL | CCIE_Security] Dotlx with voice vlan Hi all I have never got a chance to try this practically hence theoritically I need confirmatioin :-) Ok the scenario is that the port f0/15 is carrying both data and voice. Now, I need to configure that for dotx and hence I have put in "multi-domain" mode. Now, the PC authenticates and gets the data vlan for the ACS. No issues, it is working. What about the IP Phone? It just authenticates and starts using voice vlan configured on the port or should it also downloaded vlan from ACS. Inputs please... interface FastEthernet0/15 description XP PC switchport access vlan 49 switchport mode access switchport voice vlan 500 dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-domain dot1x violation-mode protect dot1x timeout reauth-period server dot1x max-reauth-req 1 dot1x reauthentication dot1x auth-fail vlan 490 spanning-tree portfast With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
