802.1x authetication when PC is connected to the back of the IP phone

Unanswered Question
Oct 25th, 2007

I am testing 802.1x authentication MAC address bypass feature to allow dynamic vlan allocation based on the MAC address We are converting cat OS based 65ks to IOS based . The plan is to replace VMPS with 802.1x MAC bypass feature . Everything works great if the PCs are directly connected to the switch port. If the PC is connected to the back of the IP Phone, it will be put on the right vlan the very first time. When that PC is moved to some other port (to the back of some other IP phone) on the same switch , the swith throws an error message saying its a security voilation because the a secure MAC address is alreay present in MAC table for another port for the same vlan. This is because when the PC was diconnected the switch port stayed up apparently causing the switch not to clear the mac-address enrty. If the PC is directly connected to the switch , the port will go down and the MAC entry would be deleted.

This allows the same device to be plugged to other ports , and put in the same vlan on the same switch. Any ideas how to work around this problem??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
rakesh.hegde Fri, 10/26/2007 - 06:20

Hi Brian,

Thanks for the info . I tried clear mac-address-table dynamic, but it didnt help. The only way to get rid of it was to reboot the switch. This doesnt even come close to the transparency and resiliency provide by VPMS and CISCO stopped VMPS server support on 65k IOS . We dont want to be clearing MACs everytime a user moves to different ports.

Just a thought :-)


rakesh.hegde Sat, 10/27/2007 - 09:39

Hi Andy,

That was helpful. Atlest we now have a potential workaround. Right now the only way is to either reboot the switch or diable/enable the switch port conencting the IPphone and the PC (atelast that's what I figured )



This Discussion