Hi guys,
Correction on my previous statement: "Multi-host feature **may not be** a
supported feature on the 3550 even though its configurable!"
Sorry but I am not even sure if we are disagreeing here? It does not seem to
be the case I would think. And yeah, you are right, multi-host is indeed
supported on the 3550 today.
All I was trying to say configuring a auth-fail/guest VLAN on a port with
multi-host does not make much practical sense, although the command seems to
have been accepted by the switch.
Thanks,
Sadiq
On Mon, Aug 24, 2009 at 3:23 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Sadiq,
>
>
>
> I would be happy to be proven wrong here, but I see no indication that
> multi-host is not supported on the 3550. It seems it�s been there since
> 12.1 days, but I could be wrong�
>
>
>
> Private-VLANs on the other hand can be created on a 3550, but will not
> work. I agree there are documentation bugs, but when IOS tells you what
the
> problem is and then the documentation says it�s not supported, maybe it�s
> not supported?
>
>
>
> -ryan
>
>
>
> *From:* Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> *Sent:* Monday, August 24, 2009 10:13 AM
> *To:* Ryan West
> *Cc:* CCIE League; ALL From_NJ; Darby Weaver; CCIEGS
>
> *Subject:* Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
>
>
> Because League mentioned them and he couldnt get information on them.
>
> Besides, have you every heard of something called "documentation bug" Ryan?
> Multi-host feature is not a supported feature on the 3550 even though its
> configurable!
>
> Sadiq
>
> On Mon, Aug 24, 2009 at 3:02 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> Why are you looking up bugs for a documented feature that�s behaving
> exactly how the Doc indicates?
>
>
>
> -ryan
>
>
>
> *From:* Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
> *Sent:* Monday, August 24, 2009 7:08 AM
> *To:* CCIE League
> *Cc:* ALL From_NJ; Ryan West; Darby Weaver; CCIEGS
>
>
> *Subject:* Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
>
>
> All DDTS below seem to have been opened on c2800, not to mention opened
> back in 2007 :-)
>
> It might be related to the hardware you are using, League. The 3550 has
> very limited functionality for 802.1X config to be honest. I was even
> suprised to see you were able to configure multi-host mode on it. And I
> would not be suprised if its only configurable and NOT supported. When you
> have some time, do some more digging up to find out.
>
> But practically speaking anyway, I think the AUTH-FAIL and GUEST VLAN
> features are not supported with the multi-host mode. My reason is because
> these Cisco switches today only support a single access VLAN on an
> non-trunking port. You can have a multi VLAN access port and configure a
> voice VLAN, but this is only useful for Cisco IP phones anyway (unless you
> tweat your PC to send in tagged frames anyway).
>
> SO because an access port only supports a single VLAN, how can you have
> VLAN1 (as configured above, or a dynamic VLAN send down via RADIUS), as
well
> as an AuthFail (or Guest) VLAN (which seems to be VLAN99 on the config
> above) also configured on the port?
>
> Anyway, ope this does not confuse you more here.
>
> Sadiq
>
> On Mon, Aug 24, 2009 at 1:07 AM, CCIE League <ccieleague_at_ymail.com> wrote:
>
> After doing little R&D i found.. Known caveats associated with
> Authentication Fail VLAN are documented with CSCsj80588, CSCsj51624, and
> CSCsj55636
>
>
>
> ------------------------
>
> When searched for these CSC... it got
>
>
> --------------------------------
> CSCsb77186 Bug Details
>
> Information contained within bug ID CSCsb77186 is only available to Cisco
> employees. It is our policy to make all externally-facing bugs available in
> Bug Toolkit so the system administrators have been automatically alerted to
> the problem. By choosing to save this bug, you may be notified when the
> decision to make this bug available to you has been made. Note: Some
product
> enhancement requests and documentation error bugs may not be available in
> Bug Toolkit.
>
> --------------------------
>
>
>
> :)
>
> moving on.. .already spent too much time.... let's see if get a response
> form dear vendors...
>
>
> Thanks for helpin....
>
>
>
>
>
>
>
>
> ________________________________
>
> From: ALL From_NJ <all.from.nj_at_gmail.com>
>
> To: CCIE League <ccieleague_at_ymail.com>
> Cc: Ryan West <rwest_at_zyedge.com>; Darby Weaver <darby.weaver_at_gmail.com>;
> CCIEGS <ccielab_at_groupstudy.com>
> Sent: Monday, 24 August, 2009 0:24:08
>
> Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
>
> Maybe one of the vendors can comment, but even though it states multiple
> hosts will be connected to the port, it does not say that multi-host mode
> should be used.
>
> The labs I have been working on, normally say something like "allow all
> hosts access when only one host authenticates" ... something like this to
> indicate multi-host mode.
>
> Sounds like you might need only single host mode. Although, I would also
> agree that the task is worded in such a way to suggest multiple hosts.
>
> Would be interested to hear one of the vendor guys speak, but as you found,
> the configs are not compatible. After it fails, might be a good time to
> formulate a questions and ask a proctor.
>
> Something like - should I read this question to indicate that if one host
> authenticates, all others should be allowed, or should I read this as
> different hosts may plug into this port?
>
> Not sure ... just thinking out loud ... ;-)
>
> Andrew
>
>
>
>
>
>
> On Sun, Aug 23, 2009 at 7:09 PM, CCIE League <ccieleague_at_ymail.com> wrote:
>
> Thanks... still trying to fig out.... thanks Ryan for the doc...
> >
> >Q says multiple hosts connected to this interface f0/14.
> >Hosts fialing "authorisation" should go to vlan 99 also hosts without
> dot1x support goto vlan 99
> >
> >
> >
> >
> >
> >
> >
> ________________________________
> From: ALL From_NJ <all.from.nj_at_gmail.com>
> >To: Ryan West <rwest_at_zyedge.com>
> >Cc: Darby Weaver <darby.weaver_at_gmail.com>; CCIE League <
> ccieleague_at_ymail.com>; CCIEGS <ccielab_at_groupstudy.com>
> >Sent: Sunday, 23 August, 2009 23:45:20
> >
> >Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >
> >
> >(Was writing this when I saw Ryan's response ;-))
> >
> >In an odd way ... it kind of makes sense to me.
> >
> >Multi-host mode says that when any one single client, out of the many
> clients available, authenticates on the port, then authorize and enable the
> port on the network.
> >
> >The auth-fail command is saying that when a client fails authentication,
> they should be placed into a particular vlan. These two are not
> complimentary to each other since they could 'over ride' each other. Makes
> sense?
> >
> >Mr League, does the task ask you to support clients who do not support
> dot1x? Or not when they fail auth? etc ... Just curious as to what the
> task is asking for.
> >
> >HTH,
> >
> >Andrew Lee Lissitz
> >
> >
> >
> >
> >On Sun, Aug 23, 2009 at 6:37 PM, Ryan West <rwest_at_zyedge.com> wrote:
> >
> >Configuration guide is your friend:
> >>
> >>
>
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/re
lease/12.2_25_see/configuration/guide/sw8021x.html#wp1179086
> >>
> >>It makes sense when you think about what it's trying to accomplish.
> >>
> >>-ryan
> >>
> >>
> >>-----Original Message-----
> >>From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Darby Weaver
> >>Sent: Sunday, August 23, 2009 6:27 PM
> >>To: CCIE League
> >>Cc: CCIEGS
> >>Subject: Re: Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >>
> >>What version of IOS?
> >>
> >>I recall configuring this using multi-host without getting errors?
> >>
> >>On Sun, Aug 23, 2009 at 3:56 PM, CCIE League <ccieleague_at_ymail.com>
> wrote:
> >>
> >>> I am getting the following message when setting Auth fail VLAN where i
> have
> >>> to config multi-host support also.
> >>>
> >>>
> >>>
> >>> SW1(config-if)#dot1x auth-fail vlan 99
> >>>
> >>> Command rejected: Port is in multi-host mode
> >>>
> >>> Dot1x Auth-Fail-Vlan is not supported on multi-host mode
> >>>
> >>>
> >>> --------Config --------------
> >>> aaa new-model
> >>> aaa authentication dot1x default group radius
> >>>
> >>> dot1x system-auth-control
> >>> dot1x guest-vlan supplicant
> >>> !
> >>> interface FastEthernet0/14
> >>> switchport mode access
> >>> dot1x port-control auto
> >>> dot1x host-mode multi-host
> >>> dot1x guest-vlan 99
> >>> spanning-tree portfast
> >>>
> >>> ------------------------------------------------
> >>>
> >>>
> >>>
> >>>
> >>> Thanks for your help...
> >>>
> >>>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> --
> CCIE #19963
>
>
>
>
> --
> CCIE #19963
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Mon Aug 24 2009 - 15:32:13 ART