Examples of Behaviors
Unreachable RADIUS server
A device, such as an IP phone or PC, goes to a RADIUS server and is unable to authentication. The authentication of the device is then applied to a Critical VLAN or a critical user-role.
Stack(config)# show port-ac clients Port Access Client Status Port Client Name MAC Address IPAddress User Role Type VLAN ----- ------------ ------------- ---------- --------- --------- 1/1 b4b0178db6a2 b4b017-8db6a2 n/a critical MAC
Tagged critical role
When a critical-role has tagged VID and configured as voice, the port-connected to the MED device (IP phone) will be a tagged member of the voice VLAN. The switch will only support one tagged VLAN as critical. For clients with auto-VLAN-negotiation capabilities (MED devices), the switch sends the VLAN information in the “TIA TR-41 Committee – Network Policy” of the LLDP packet. If the MED device advertising is using CDP, the switch sends the VLAN information in the "VOIP VLAN Reply" field of CDP. The MED devices will use that VLAN to tag their traffic. To enable this VLAN advertisement in LLDP, we need to make the Critical VLAN as ‘voice’ VLAN.
For clients which send tagged traffic, switch can put them in Critical Tagged-VLAN:Create tagged VLAN.
Make the tagged VLAN voice.
Create a user-role.
Make the tagged VLAN a member of the user-role.
Make the user-role a critical user-role with the command
aaa authorization user-role name <CRITICAL-VOICE> vlan-id-tagged <ID>
Stack(config)# show vlan 10 VLAN ID : 10 Name : VLAN10 Status : Port-based Voice : Yes Jumbo : No Private VLAN : none Associated Primary VID : none Associated Secondary VIDs : none Port Information Mode Unknown VLAN Status ---------------- -------- ------------ ---------- 1/1 MACAUTH Learn Up Overridden Port VLAN configuration ------ ------------ 1/1 MACAUTH
show lldp info remote-device
If we execute
show LLDP info remote
, we can see that the phone has learned which tag to apply for traffic. if we run
show lldp info remote
, the results are as follows:
Stack(config)# show lldp info remote-device 1/1 LLDP Remote Device Information Detail Local Port : 1/1 ChassisType : network-address ChassisId : 0.0.0.0 PortType : mac-address PortId : b4 b0 17 8d b6 a2 SysName : AVX8DB6A2 PortDescr : Pvid : System Capabilities Supported : bridge, telephone System Capabilities Enabled : bridge Remote Management Address Type : ipv4 MED Information Detail EndpointClass :Class3 Media Policy Vlan id :10 Media Policy Priority :6 Media Policy Dscp :46 Media Policy Tagged :True Poe Device Type :PD Power Requested :2.6 W Power Source :From PSERun Packet Captures to show the switch advertising which VLAN phone to use or that the phone is advertising which VLAN to use.