Thanks a lot for your suggestion but this is not the solution I am looking for.
The good news is that I managed to make it work exactly as intended: known MAC's are going to predefined VLAN's while the rest of the devices are placed into a default VLAN.
Original Message:
Sent: Jun 12, 2024 04:05 PM
From: Dustin Burns
Subject: The local-mac vlan association
See if this post helps you: Wired 802.1x phone and PC
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
Original Message:
Sent: Jun 12, 2024 03:00 PM
From: mikes
Subject: The local-mac vlan association
Hi Dustin,
Thanks a lot for the tip; I didn't even know that there were clients limit settings..))
Unfortunately it didn't work out; when checking
show port-access local-mac clients
the response is:
Port MAC Address IP Address Client Status
----- ----------------- ------------------ ----------------------
7 00809f-7526e6 n/a authenticated <-- IP phone
7 b083fe-950d6f n/a rejected no vlan <-- PC
The idea was to assign all phones to VLAN 172 while all other hosts are on default VLAN 113 including the ones that are plugged into phones.
Here is my config:
==========================
vlan 113
name "CenterSprings-ports"
untagged 1-28
ip address 10.64.13.2 255.255.255.0
ip helper-address 10.6.66.252
exit
aaa port-access local-mac mac-group "phones-mac-group"
mac-oui 00809f
exit
aaa port-access local-mac profile "phones-profile"
vlan <un>tagged 172
exit
aaa port-access local-mac apply profile "phones-profile" mac-group
"phones-mac-group"
aaa port-access authenticator 1-24 client-limit 10
aaa port-access local-mac 1-24 addr-limit 10
=========================
Any ideas what's not right?
Thanks a lot!
Mike S
Original Message:
Sent: Jun 12, 2024 07:22 AM
From: Dustin Burns
Subject: The local-mac vlan association
Do you have a client-limit set higher than 1? "aaa port-access authenticator <port/ports> client limit <limit>"
------------------------------
Dustin Burns
Lead Mobility Engineer @Worldcom Exchange, Inc.
ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
Original Message:
Sent: Jun 11, 2024 11:32 AM
From: mikes
Subject: The local-mac vlan association
I have a routine setup of a PC daisy chained to an Alcatel IP phone plugged into the 2540 port.
I am using the local-mac groups and profiles to assign different types of devices to particular vlans; 113 for data (PC) and 172 for phones, as follows:
aaa port-access local-mac mac-group "phones-mac-group"
mac-oui 00809f
exit
aaa port-access local-mac profile "phones-profile"
vlan tagged 172
exit
aaa port-access local-mac apply profile "phones-profile" mac-group "phones-mac-group"
aaa port-access local-mac 1-24
The vlan 113 is a default (untagged) on all 1-24 ports.
The problem is that the PC behind the phone is not passing any traffic at all, even it's MAC is not visible from the switch; I was trying both "vlan tagged 172" and the "vlan untagged 172" as well as 172 voice and no voice - with no results.
What am I missing here?
Thanks!