I need to get 802.1x auth configured on all of our ICX 7150 switches, and am reading through the documentation trying to learn. I came across this in the Security Guide/Flexible Authentication section:
"Before authentication is enabled on a port, the port can belong to any VLAN, including the system default VLAN. The only restriction is that the port cannot be a part of any VLAN as untagged."
Am I understanding this correctly? No ports can have an untagged VLAN on them at all?
As it stands today, all ports on our "IDF" or "Access" switches (switches that provide the end users ports to plug into), are unstagged on VLAN 1 and tagged on VLAN 333. VLAN 1 is what our main IP network is on... client machines, some servers, etc. VLAN 333 is used for our Mitel phone system and IP phone sets. So, if a Mitel IP phone is plugged into a port, it will get some DHCP options passed to it that will get it on the 333 VLAN (tagged) and the computer pass-through port on the back of the phone stays untagged on VLAN 1.
I am having a hard time understanding how this will work if we can't have VLAN 1 untagged on our ports?
Here is an example switch config currently;
ver 08.0.95bT213 ! stack unit 1 module 1 icx7150-24p-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-4-sfp-plus-port-40g-module stack-port 1/3/1 stack-port 1/3/3 ! ! global-stp ! ! ! vlan 1 name DEFAULT-VLAN by port router-interface ve 1 spanning-tree ! vlan 25 name Honeywell by port tagged ethe 1/3/1 to 1/3/4 ! vlan 101 name NAC_Corp1_WLAN_101 by port tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 ! vlan 106 name NAC_Warehouse_WLAN_106 by port tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 ! vlan 107 name NAC_Employee_Phone_WLAN_07 by port tagged ethe 1/1/1 to 1/1/24 ethe 1/3/1 to 1/3/4 ! vlan 108 name "Ruckus AP" by port tagged ethe 1/3/3 untagged ethe 1/1/21 ! vlan 333 name "voip vlan" by port tagged ethe 1/1/1 to 1/1/20 ethe 1/1/22 to 1/1/24 ethe 1/3/1 to 1/3/4 ! ! ! ! ! ! ! ! ! aaa authentication login default local enable aaa console hostname "IDF EXP OFFICE" ip dns server-address 18.104.22.168 ip route 0.0.0.0/0 22.214.171.124 ! telnet timeout 10 no telnet server ! ! ! ! ! ! ntp server ntp.ruckuswireless.com ! ! ! ! manager registrar manager registrar-list 126.96.36.199 188.8.131.52 manager active-list 184.108.40.206 220.127.116.11 ! manager port-list 987 ! ! ! ! ! ! ! ! ! interface management 1 disable ! interface ve 1 ip address 18.104.22.168 255.255.0.0 ! ! !
On ICX, A port can be untagged on any single vlan and tagged to multiple vlans. This is the thumb rule. You can open a support case to have a quick call with support staff to clarify your questions as well.