Yes that was the solution Mike... With regards Kings
On Mon, May 7, 2012 at 5:46 PM, Mike Rojas <[email protected]> wrote: > Kingsley, > > Interesting, that is exactly what I was looking for: > > multi-domain-Both a host and a voice device (like an IP phone, Cisco or > non-Cisco), to authenticate on an IEEE 802.1X-authorized port. > > Thanks a lot for the information. Did you check the solution, is that how > the configured it? > > Mike > > ------------------------------ > Date: Mon, 7 May 2012 10:21:54 +0530 > Subject: Re: [OSL | CCIE_Security] Dotlx with voice vlan > From: [email protected] > To: [email protected] > CC: [email protected] > > > Multihost mode is meant for case where the port is connected to a hub > which has many PCs connected. The first one needs to authenticate and the > port is authorized. The others need not authorize. In this mode, IP phone > will be treated as a normal node. > > In Multi-domain, we tell the switch that there is IP phone also connected > and it should be given a special treatment. > > In single-host mode, only one device is allowed. Now, if you have the PC > connected via IP phone to port, then you have two devices and the port with > fall into violation mode. Thus we need to configure multi-domain mode. > > Snippet from > > 802.1X Violation Modehttp:// > www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html#wp1376150 > > You can use the authentication violation interface configuration command > to configure the violation mode: restrict or shutdown. > > In single-host mode, a security violation is triggered when more than one > device are detected on the data vlan. In multidomain authentication mode, a > security violation is triggered when more than one device are detected on > the data or voice VLAN. > > Security violation cannot be triggered in multiple-host mode or > multiauthentication mode. > > When security violation occurs, the port is protected depending on the > configured violation action: > > Shutdown—Errdisables the port; the default behavior on a port. > > Restrict—The port state is unaffected. However the platform is notified to > restrict the traffic from offending MAC-address. > > > With regards > Kings > > On Mon, May 7, 2012 at 7:56 AM, Mike Rojas <[email protected]> wrote: > > > Hi Kings, > > That is lab 15 right? I Did that one today. Why is it multi-domain? > Shouldnt it be multi-host? I finished the lab and I have to review over the > solution but it just said "If authenticated, pleace it on vlan x". That is > all I did. > > Like I said, I have to compare both configs, but I guess if not specified > then just use the authenticated vlan. > > Mike > ------------------------------ > Date: Sun, 6 May 2012 01:39:07 +0530 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] Dotlx with voice vlan > > > Hi all > > I have never got a chance to try this practically hence theoritically I > need confirmatioin :-) > > > Ok the scenario is that the port f0/15 is carrying both data and voice. > Now, I need to configure that for dotx and hence I have put in > "multi-domain" mode. > > Now, the PC authenticates and gets the data vlan for the ACS. No issues, > it is working. > > > > What about the IP Phone? It just authenticates and starts using voice vlan > configured on the port or should it also downloaded vlan from ACS. > > > > Inputs please... > > > > > > interface FastEthernet0/15 > > description XP PC > > switchport access vlan 49 > > switchport mode access > > switchport voice vlan 500 > > dot1x pae authenticator > > dot1x port-control auto > > dot1x host-mode multi-domain > > dot1x violation-mode protect > > dot1x timeout reauth-period server > > dot1x max-reauth-req 1 > > dot1x reauthentication > > dot1x auth-fail vlan 490 > > spanning-tree portfast > > > > > > With regards > > Kings > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
