D

25 Messages

 • 

372 Points

Fri, Jun 25, 2021 8:48 PM

Configure 802.1x auth on 7150 stacks

I need to get 802.1x auth configured on all of our ICX 7150 switches, and am reading through the documentation trying to learn. I came across this in the Security Guide/Flexible Authentication section:

"Before authentication is enabled on a port, the port can belong to any VLAN, including the system default VLAN. The only restriction is that the port cannot be a part of any VLAN as untagged." 

Am I understanding this correctly? No ports can have an untagged VLAN on them at all?

As it stands today, all ports on our "IDF" or "Access" switches (switches that provide the end users ports to plug into), are unstagged on VLAN 1 and tagged on VLAN 333.  VLAN 1 is what our main IP network is on... client machines, some servers, etc. VLAN 333 is used for our Mitel phone system and IP phone sets. So, if a Mitel IP phone is plugged into a port, it will get some DHCP options passed to it that will get it on the 333 VLAN (tagged) and the computer pass-through port on the back of the phone stays untagged on VLAN 1.

I am having a hard time understanding how this will work if we can't have VLAN 1 untagged on our ports?

Here is an example switch config currently;

ver 08.0.95bT213
!
stack unit 1
  module 1 icx7150-24p-poe-port-management-module
  module 2 icx7150-2-copper-port-2g-module
  module 3 icx7150-4-sfp-plus-port-40g-module
  stack-port 1/3/1
  stack-port 1/3/3
!
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
 router-interface ve 1
 spanning-tree
!
vlan 25 name Honeywell by port
 tagged ethe 1/3/1 to 1/3/4 
!
vlan 101 name NAC_Corp1_WLAN_101 by port
 tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 
!
vlan 106 name NAC_Warehouse_WLAN_106 by port
 tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 
!
vlan 107 name NAC_Employee_Phone_WLAN_07 by port
 tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 
!
vlan 108 name "Ruckus AP" by port
 tagged ethe 1/3/3 
 untagged ethe 1/1/21 
!
vlan 333 name "voip vlan" by port
 tagged ethe 1/1/1 to 1/1/20 ethe 1/1/22 to 1/1/24 ethe 1/3/1 to 1/3/4 
!
!
!
!
!
!
!
!
!
aaa authentication login default local
enable aaa console
hostname "IDF EXP OFFICE"
ip dns server-address 8.8.8.8
ip route 0.0.0.0/0 190.1.200.235
!
telnet timeout 10
no telnet server
!
!
!
!
!
!
ntp
 server ntp.ruckuswireless.com
!
!
!
!
manager registrar
manager registrar-list 34.66.194.73 34.66.194.74
manager active-list 34.66.194.74 34.66.194.73
!
manager port-list 987
!
!
!
!
!
!
!
!
!
interface management 1
 disable
!
interface ve 1
 ip address 190.1.5.51 255.255.0.0
!
!
!

!
!
!
!
!
!
!
!
!
!
!
end

Responses

Accepted Solution

Official Rep

 • 

135 Messages

 • 

4.1K Points

3 m ago

Hi David,

Hope you are doing Great!!!

you can change default vlan to any other vlan using the command from config mode:

con t

default-vlan-id 100

write memory

But you also need to consider your network design if you are using Cisco and using native vlan.

Hope this helps

Thanks

Hashim

Official Rep

 • 

210 Messages

 • 

3.1K Points

3 m ago

Hi David,

On ICX, A port can be untagged on any single vlan and tagged to multiple vlans. This is the thumb rule. You can open a support case to have a quick call with support staff to clarify your questions as well.

Thanks

Jijo 

(edited)

Important Announcement