11-12-2008 09:37 PM - edited 03-06-2019 02:27 AM
Hi
I am configuring 802.1x in the Lan network of my customer. My customer has switches 2960 and 3750 and cisco ip phone. I have problem with switches 3750 ,the ip phone cannot connect to Callmanager but when I connect the ip phone in any port of switch 2960 i have not problem. The configuration in 3750 and 2960 are the same. The version of IOS in all switches is c3750-ipbasek9-mz.122-25.SEE4
The configuration in the ports is:
interface FastEthernet X
switchport mode access
switchport voice vlan 125
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x guest-vlan 13
dot1x auth-fail vlan 13
spanning-tree portfast
Thanks for your help.
Jorge
11-13-2008 01:32 AM
Hello Jorge,
I would try
int fas X
dot1x host-mode multi-host
and
switch# dot1x re-authenticate interface fas X
Have you tried with a PC connected to the ip phone with 8021.X client SW ?
Does the behaviour change ?
Hope to help
Giuseppe
11-13-2008 06:10 AM
Hi Giuseppe
I will try this configuration but the configuration is working well in the switches 2960. why have fail in the switches 3750?. Only the switches 3750 has the problem.
11-13-2008 02:10 AM
Hi Jorge, I have just looked at a working 802.1x config from a 3560-POE I have (not exactly the same I know) where I have some Cisco IP Phones and its almost the same as yours:
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport voice vlan 500
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 3
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 1 70 25 5
srr-queue bandwidth shape 3 0 0 0
priority-queue out
no snmp trap link-status
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout reauth-period server
dot1x reauthentication
spanning-tree portfast
service-policy input IPPHONE+PC-BASIC
ip dhcp snooping limit rate 100
In theory a 3750 & a 2960 (assuming the same IOS revision) should have the same behaviour since they are both based on a similar platform.
Previously you needed to have three MAC addresses configured for port-security to work with an IP Phone and a PC since the IP Phone initially appears on the access VLAN. However I know there was a feature change (around IOS 12.2(37)SE) where as soon as CDP kicked in from the IP Phone the switch removed it's MAC from the access VLAN so you can have a maximum of two MACs configured. You are running older software so you will need the three MAC maximum.
I would suggest the first thing to try would be upgrading the IOS to the latest IOS release which is 12.2(46)SE.
Andy
11-13-2008 06:00 AM
Hi andrew
All switches have the version 12.2(46)SE.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: