in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 11-29-2016 12:59 AM by timaz. 16 replies.
Page 2 of 2 (17 items) < Previous 1 2
Sort Posts: Previous Next
  • 11-27-2016 2:00 AM In reply to

    Re: a question regarding helper-address

    As said, IP Phone will start sending untagged traffic initially, after it learns via CDP about the voice VLAN it will start sending tagged traffic so the switch will put the Phone in the proper VLAN in the end.

    You have a chicken-egg-issue: to apply the dACL on the port the switch needs to learn the IP address of the connected device (so until that happens, all IP traffic is blocked from the device), while to get an IP address via DHCP the device needs to be able DHCP traffic in the network; so configure a pre-auth ACL in which you allow DHCP traffic, however depending on the code you're running on the switch, there is a default pre-auth ACL applied which allows DHCP traffic, read here about "Default ACL Used for 802.1x": http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

     

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 11-29-2016 12:59 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,910

    Re: a question regarding helper-address

    cristian.matei:

    As said, IP Phone will start sending untagged traffic initially, after it learns via CDP about the voice VLAN it will start sending tagged traffic so the switch will put the Phone in the proper VLAN in the end.

    You have a chicken-egg-issue: to apply the dACL on the port the switch needs to learn the IP address of the connected device (so until that happens, all IP traffic is blocked from the device), while to get an IP address via DHCP the device needs to be able DHCP traffic in the network; so configure a pre-auth ACL in which you allow DHCP traffic, however depending on the code you're running on the switch, there is a default pre-auth ACL applied which allows DHCP traffic, read here about "Default ACL Used for 802.1x": http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/119374-technote-dacl-00.html

     

     

    Hi Cristian!

     

    I changed both of the static ACL on the g0/8 and the dACL on the ISE and add "permit udp any any" to them. despite now I have hits on the ACL, but still nothing works. the phone doesn't get any IP from the DHCP server, but my pc get authenticated with no problem. when I took a look at the mac address-table on switch, I saw this: 

     

    Switch(config-if)#do sh mac address-ta dy inter g0/8

              Mac Address Table

    -------------------------------------------

    Vlan    Mac Address       Type        Ports

    ----    -----------       --------    -----

     500    38ed.1855.787c    DYNAMIC     Drop

     

    the mac belongs to the phone. as you might notice, the mac address of the pc is not on the table, but I have access from the pc to the network and even ISE shows that the PC passed authentication and authorization successfuly. but the mac address of the phone dispaled as "Drop" in the voice vlan 500. the output of the "sh ip device track all" on the switch revealed just the mac address of the PC in data vlan. 

    I'm getting disappointed on this. because I'm working on this very issue more than 2 months, and despite all of the efforts and recommendations, I still didn't managed to resolve this simple problem. SadSad

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 5
Page 2 of 2 (17 items) < Previous 1 2
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved