04-07-2014 02:25 AM
System Parameters Default Maximum Current
igmp-max-group-addr 8192 32768 8192
ip-filter-sys 1021 1021 1021
l3-vlan 32 1024 32
mac 16384 16384 16384
vlan 64 4095 64
spanning-tree 32 255 32
mac-filter-port 32 256 32
mac-filter-sys 64 512 64
view 10 65535 10
rmon-entries 6144 32768 6144
mld-max-group-addr 8192 32768 8192
igmp-snoop-mcache 4096 8192 4096
mld-snoop-mcache 4096 8192 4096
This is my ouput
04-07-2014 02:29 AM
Ok, that is the default setting for the VLAN's - you can have up to 63 (plus the default) VLAN's, do you have that many configureed? Also did you check if you are using MAC Auth?
04-07-2014 02:44 AM
I verified that MAC auth does not exist.
The VLANs configured are as follwos: 3,16,555,854
Let me remind you that according to the last test I was able to authenticate two users from the same VLAN (3) but I cannot authenticate a third one in VLAN 16, for example. Is there any way of doing that? (To be honest, I cannot achieve that neither by my Cisco switches)...
04-07-2014 03:22 AM
So the first client to get a successful Auth from RADIUS will set the dynamic VLAN, if another client then connects and RADIUS says pleace in another VLAN then it will fail the Auth for the second client (This is what you are seeing).
Below is from the manual where I found this.
The PVID for a port Stoimencan be changed only once through RADIUS authentication. For example, if RADIUS
authentication for a Client causes a port’s PVID to be changed from 1 to 10, and then RADIUS authentication for
another Client on the same port specifies that the port’s PVID be moved to 20, then the second PVID assignment
from the RADIUS server is ignored.
If the port is already a member of a RADIUS-specified VLAN, and the RADIUS Access-Accept message
specifies the name or ID of a different VLAN, then it is considered an authentication failure. The port’s VLAN
membership is not changed.
So No, there is not a way of doing what you are tring to do as such, you would need to move dot1x out to the very edge so each port only carries the same VLAN.
04-07-2014 03:41 AM
Can you upload the configuration manual you have been loking at as i was not able to find this one?
I just thought that there might be some wayout of this situation...
04-07-2014 04:04 AM
Now I experience another problem with this switch.
I have an IP phone Yealink T19P which supports only LLDP protocol (no CDP)
I attach a PC to it in roder to get the follwoing configuration: Network --> Foundry FastIron --> Yealink (Phone) --> PC
I nterms of configuration I do the follwoing:
vlan 3 - DATA
tagged eth 1/1/3
vlan 10 - VOICE
tagged eth 1/1/3
int eth 1/1/3
dual-mode 3 (In order to make vlan 3 the untagged VLAN)
I start the LLDP service: lldp run
LLDP is enabled by default on the phone (this has been confirmed)
Then I apply the following commands on the switch in order to forcely put the phone in VLAN VOICE:
lldp med network-policy application voice tagged vlan 854 priority 7 dscp 48 ports ethe 1/1/1 to 1/1/48 ethe 1/2/1 to 1/2/2
lldp advertise vlan-name vlan 854 ports ethe 1/1/1 to 1/1/48 ethe 1/2/1 to 1/2/2
It was working fine a week ago. However, at present the phone is not put automatically in the proper VLAN and goes directly in the DATA one...
Where do I go wrong?