Hi, yes this is what we do. Any MAC address on the port can be MAC or 802.1x authenticated. So long as all frames hit the interface untagged.
Original Message:
Sent: Nov 29, 2023 03:07 AM
From: owais iqbal
Subject: 5130 EI and 5140 EI - Voice Vlan
In my case the ip phone will be mac authenticated where as the user will be authenticated through dot1x and data vlan be assigned according to it. At the same time i want to assign ip phone to a different Vlan, i dont really need tagging. I just need to assign Ip phone to its respective Vlan. Is it doable?
Original Message:
Sent: Nov 29, 2023 02:36 AM
From: IanNightingale
Subject: 5130 EI and 5140 EI - Voice Vlan
The solution depends on the way the phone is setup. We have 100% dynamic assignment of VLANs to all devices. Phones have PC's plugged into the back of them. The phone is configured so that both the PC and the phone's traffic are untagged. Therefore when both MAC addresses hit a hybrid port they are MAC-authenticated in the same way as two independent devices on a unmanaged switch.
An example config below with the only static assignment being the vlan they drop into if they fail authentication.
interface GigabitEthernet1/0/1 undo enable snmp trap updown port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 31 untagged port hybrid pvid vlan 31 mac-vlan enable stp edged-port poe enable undo dot1x handshake dot1x mandatory-domain york.ac.uk dot1x max-user 80 undo dot1x multicast-trigger dot1x re-authenticate dot1x auth-fail vlan 31 dot1x critical vlan 31 mac-authentication max-user 80 mac-authentication domain mac_domain mac-authentication guest-vlan 31 mac-authentication critical vlan 31 undo mac-authentication offline-detect enable port-security port-mode userlogin-secure-or-mac-ext port-security mac-move bypass-vlan-check loopback-detection enable vlan 1 to 4094 loopback-detection action shutdown dhcp snooping binding record dhcp snooping check request-message dhcp snooping check mac-address dhcp snooping information enable dhcp snooping information strategy keep
Results in the following LLDP output:
LLDP tlv-config of port 1[GigabitEthernet1/0/1]:LLDP agent nearest-bridge:NAME STATUS DEFAULTBasic optional TLV: Port Description TLV YES YES System Name TLV YES YES System Description TLV YES YES System Capabilities TLV YES YES Management Address TLV YES YESIEEE 802.1 extend TLV: Port VLAN ID TLV YES YES Port And Protocol VLAN ID TLV NO NO VLAN Name TLV NO NO DCBX TLV NO NO EVB TLV NO NO Link Aggregation TLV YES YES Management VID TLV NO NOIEEE 802.3 extend TLV: MAC-Physic TLV YES YES Power via MDI TLV YES YES Maximum Frame Size TLV YES YES Link Aggregation TLV NO NOLLDP-MED extend TLV: Capabilities TLV YES YES Network Policy TLV YES YES Location Identification TLV NO NO Extended Power via MDI TLV YES YES Inventory TLV YES YES
If the switch needs to know which VLAN to tag and which VLAN to untag on the edge port then I guess the LLDP-MED is required, or static assignment.
Original Message:
Sent: Nov 28, 2023 06:41 AM
From: Owais101
Subject: 5130 EI and 5140 EI - Voice Vlan
Dear Experts,
I need to understand that is it possible in CW7 to apply Voice Vlan dynamically or at some point we need to define it statically like when telling the IP phone which vlan to use for tagging the traffic?
https://support.hpe.com/hpesc/public/docDisplay?docId=sf000096280en_us&docLocale=en_US
There are some commands that need to be defined statically on port like below
ldp tlv-enable dot1-tlv protocol-vlan-id
lldp tlv-enable med-tlv network-policy 180
So i dont see any benefit of sending voice vlan via radius if we have to define it ultimately on the port as well?