Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
1
Replies

802.1x MDA LLDP Disabled on Switch (3750) but detected on phone?

yaplej
Level 1
Level 1

‎08-15-2014 08:21 AM - edited ‎03-07-2019 08:24 PM

I have been playing around with 802.1x and some IP phones.  The test senario we have is that LLDP is globally disabled on the switch and enabled on the phone.  When the phone boots up a non-LLDP enabled device is allowed to use the data vlan to boot and learn (via DHCP) the voice vlan.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#pgfId-389460

We found that if LLDP is disabled on the switch it still detects LLDP on the phone and blocks the LLDP enabled phone from using the data vlan.  This causes the phone to "hang" waiting for DHCP.

Turning LLDP off on the switch port did not seem to help as the switch tests for LLDP reguardless and then blocks access to the data vlan.  It seems like *if* LLDP is disabled on the switch it should treat all devices as non-LLDP devices and allow the use of the data vlan.  Even if the device (IP Phone) is capable of LLDP.

Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(55)SE8, RELEASE SOFTWARE (fc2)

Labels:
0 Helpful
1 Reply 1

yaplej
Level 1
Level 1

‎08-15-2014 10:13 AM

Turned out that this was being caused by not having a valid DATA vlan set (leaving it in vlan 1).  It looks like with MDA you cannot assign the data VLAN the phone will use to boot in a Radius reply.  It has to be assigned manually?

Is there another way to tell the switch to allow the phone on data vlan 20 for a short period of time?

interface x/y/z
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 60
 switchport port-security maximum 5
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 authentication event fail retry 1 action authorize vlan 20
 authentication event no-response action authorize vlan 20
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 snmp trap mac-notification change added
 dot1x pae authenticator
 dot1x timeout quiet-period 3
 dot1x timeout server-timeout 2
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 2
 spanning-tree portfast

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card