Video Screencast Help

SNAC(LAN ENFORCER)Transparent mode with AVAYA not Switching VLAN

Created: 06 Sep 2012 • Updated: 06 Sep 2012 | 4 comments
Neol's picture

We scan solution integrates with Cisco 2960 and Avaya IP Phones 1608 and we are having problems because the Guest-PC can't switching to guest-vlan.

When we finish configured the policy of SNAC,and connected the switch directly.all the VLAN policy works well. but if the PCs connect through the IP phone port to the switch, it doesn't work. all the PCs go to the same vlan. 

SEPM settings:

Cisco 2960 port command:

dot1x port-control auto

switchport voice vlan 3

dot1x timeout quiet-period 30
dot1x timeout supp-timeout 4
dot1x guest-vlan 2
dot1x reauthentication
dot1x timeout tx-period 10
dot1x timeout server-timeout 40
dot1x violation-mode protect
dot1x control-direction in
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable

The cisco vlan  information

VLAN 1 is data vlan,vlan 2 is guest-vlan,vlan3 is voice vlan;

When the IP phone  connected to the Cisco switch(fa0/40), IP phone can quickly access IP address and normal work.then show vlan as flow:


When the IP phone  work normally, We take Office.PC connection in IP phone,Office PC will soon prompted the authentication is successful, the Vlan 1 IP address, show VLAN is as follows:

Then,take network cable to the Guest pc, but Guest PC acquired VLAN1 IP address, no switch to VLAN 2, show VLAN as follows:

If PC is directly connected to the switch, then the work is normal, office PC switch to VLAN 1, Guest PC switch to VLAN 2

what's cause this .please have us..thank you.

Discussion Filed Under:

Comments 4 CommentsJump to latest comment

Chuck Edson's picture

"If the PCs connect through the IP phone port to the switch, it doesn't work."

This is because either (or both) of the following:

1) The switch (if capable) needs to be configured to authenticate multiple hosts on one Ethernet port.  The Cisco command for this is "multi-domain".  See more information.

2) The phone is not passing the EAP packets to the laptop.  It has been a while, but if I am remembering correctly, there is a setting in the config of Avaya phones to allow the PC to be authenticated separately.  Check out the 802.1x section of the admin guide for the phone system.

If a post helps you, please mark it as the solution to your issue.

Neol's picture

Thank you for your reply

I added the  command:“dot1x host-mode multi-domain”
But IP phone could not get the IP address from DHCP Server.....
Chuck Edson's picture

Check the Enforcer Kernel.log in Engineer level debugging.  This will tell you what the Enforcer is seeing, and the decisions that it is making.

As a test, get the Environent working without the Enforcer in place.  Once you get it all working, then add the Enforcer.

If a post helps you, please mark it as the solution to your issue.

Sandara's picture

In transparent mode, the source and destination of SIP signaling messages is monitored actively and inspected for malicious VoIP traffic. Voipdito Virtual PBX.