11-12-2008 09:37 PM - edited 03-06-2019 02:27 AM
Hi
I am configuring 802.1x in the Lan network of my customer. My customer has switches 2960 and 3750 and cisco ip phone. I have problem with switches 3750 ,the ip phone cannot connect to Callmanager but when I connect the ip phone in any port of switch 2960 i have not problem. The configuration in 3750 and 2960 are the same. The version of IOS in all switches is c3750-ipbasek9-mz.122-25.SEE4
The configuration in the ports is:
interface FastEthernet X
switchport mode access
switchport voice vlan 125
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x guest-vlan 13
dot1x auth-fail vlan 13
spanning-tree portfast
Thanks for your help.
Jorge
11-13-2008 01:32 AM
Hello Jorge,
I would try
int fas X
dot1x host-mode multi-host
and
switch# dot1x re-authenticate interface fas X
Have you tried with a PC connected to the ip phone with 8021.X client SW ?
Does the behaviour change ?
Hope to help
Giuseppe
11-13-2008 06:10 AM
Hi Giuseppe
I will try this configuration but the configuration is working well in the switches 2960. why have fail in the switches 3750?. Only the switches 3750 has the problem.
11-13-2008 02:10 AM
Hi Jorge, I have just looked at a working 802.1x config from a 3560-POE I have (not exactly the same I know) where I have some Cisco IP Phones and its almost the same as yours:
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 500
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 3
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout reauth-period server
dot1x reauthentication
spanning-tree portfast
service-policy input IPPHONE+PC-BASIC
ip dhcp snooping limit rate 100
In theory a 3750 & a 2960 (assuming the same IOS revision) should have the same behaviour since they are both based on a similar platform.
Previously you needed to have three MAC addresses configured for port-security to work with an IP Phone and a PC since the IP Phone initially appears on the access VLAN. However I know there was a feature change (around IOS 12.2(37)SE) where as soon as CDP kicked in from the IP Phone the switch removed it's MAC from the access VLAN so you can have a maximum of two MACs configured. You are running older software so you will need the three MAC maximum.
I would suggest the first thing to try would be upgrading the IOS to the latest IOS release which is 12.2(46)SE.
Andy
11-13-2008 06:00 AM
Hi andrew
All switches have the version 12.2(46)SE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide