Meraki

Community

LACP and 802.1X

RaphaelL
Kind of a big deal
Kind of a big deal
‎Dec 17 2024 7:44 AM
‎Dec 17 2024 7:44 AM

LACP and 802.1X

Hi ,

 

I have never tried this setup.

 

Is it possible to have a device ( let's say a phone ) , connected to port X and port Y in the same switch/stack and have an Access Policy on these ports ? 

 

End goal is to have redundancy on a IP phone , lose one of the 2 connections and avoid the phone to re-do the full 802.1X auth on the other port and not losing the call. 

 

I couldn't find anything in the MS doc that says that 802.1X and LACP are not compatible , but I'm unsure... 

Labels:
0 Kudos
4 Replies 4
VivekT
Getting noticed
‎Dec 17 2024 8:14 AM
‎Dec 17 2024 8:14 AM

Hello,

 

802.1X and LACP are not natively compatible because LACP aggregates physical ports into a single logical link.

If you require redundancy for an IP phone while avoiding call drops,

 

consider:


Using MAC Authentication Bypass (MAB) on the redundant port.
Leveraging phones with built-in redundancy to switch internally between active links.
Exploring non-802.1X security measures like VLAN ACLs or port security.
Ultimately, achieving both 802.1X enforcement and seamless redundancy without call disruption may require trade-offs, as strict 802.1X is not designed for multi-port redundancy scenarios.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 17 2024 2:30 PM
‎Dec 17 2024 2:30 PM

I have never tried it either, but I doubt it would work.

 

Would using a WiFi enabled device be an option?  Then it can failover between different APs on different switches.

0 Kudos
In response to PhilipDAth
RaphaelL
Kind of a big deal
Kind of a big deal
‎Dec 17 2024 2:38 PM
‎Dec 17 2024 2:38 PM

Sadly no , the only option is wired. Those are "specials" IP phones for traders.

0 Kudos
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 17 2024 2:46 PM
‎Dec 17 2024 2:46 PM

Now I know we are talking about a higher acceptable price bracket ...

 

I have seen these passive Ethernet fail-over devices.  They have an Ethernet in, and two Ethernet's out.  The phone would plug into the "in".  The out's plug into separate switches.  As long as the device gets a link from out1, it uses that otherwise it passively fails over to out2.

 

I have never used such gear myself, but a quick Google found this option:

1+1 Ethernet Failover / Ethernet AB Fallback Equipment | Valiant

 

Personally if it was me, I think I would be tempted to look at something like a Cisco Catalyst C9404R.

Cisco Catalyst 9400 Series Switch Data Sheet - Cisco

It has dual supervisors, dual everything.  If you have a supervisor fail, the port automatically fails over to the standby supervisor.  It supports doing hitless upgrades.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.